Privacy Policy

This Privacy Policy explains how RefrdBy ("RefrdBy", "we", "us", "our") collects, uses, shares, and protects information when you use our referral and rewards platform (the "Service") — whether you're a "Provider" (a local business running a referral program), a "Client" (a Provider's customer who is referred, books, or refers others), an "Affiliate" (someone promoting a Provider for commission), a "Partner" (someone promoting RefrdBy itself through the RefrdBy Partner Program), or an administrator.

This policy should be read together with our Terms & Conditions. By using the Service, you agree to the practices described here. If you have questions, reach us at hello@refrdby.com.

We collect information in three broad ways: information you (or a Provider acting on your behalf) give us directly, information generated automatically as you use the Service, and information we receive from third parties who help us operate it.

• Account & profile information — name, business name, email address, phone number, password (stored only as a secure one-way hash), service area/location, profession or "vertical", and similar details you provide when registering as a Provider, accepting an Affiliate invitation, applying to the Partner Program, or being added as a Client.
• Partner Program application & profile information — if you apply to the RefrdBy Partner Program, we collect the details on the application form: your name, email, phone number, where and how you plan to promote RefrdBy (for example, social media handles or audience description), your preferred payout method (such as check or ACH), and any payout-related notes you choose to add. We deliberately do not ask for or store full bank account numbers, card numbers, or other complete financial account details anywhere in the Service — see Section 5A for more on how Partner payouts are handled.
• Referral & booking activity — referral links you create or follow, who referred whom, booking/enquiry details (service type, notes, requested times), appointment status and history, rewards earned or issued, affiliate commissions and payout status, and — for Partners — clicks on your Partner referral link, resulting signups, and bounty/commission status.
• Communications & consent — your choices about receiving SMS and email updates (for example, the SMS-consent checkbox shown on a booking form), the content of messages we send on a Provider's behalf, and any messages you send to our support address.
• Account-security & audit information — for every significant action taken on the platform (such as logging in, creating a client, completing an appointment, or changing settings), we record a timestamp, a description of the action, the type of user who performed it, and the IP address and browser/user-agent string the action came from. This powers the internal audit log described in Section 5.
• Billing information — if a Provider subscribes to a paid plan, payment is handled by our payment processor (Square). We receive limited information back from Square (such as plan tier, subscription status, and the last four digits/brand of a card on file) — we do not store full card numbers ourselves.
• Device & usage data — IP address, browser type, device identifiers, pages visited, links clicked, referral-link conversions, and similar analytics-style information collected automatically through cookies, log files, and similar technologies (see Section 6). If you install RefrdBy as a Progressive Web App, we may also store basic app data on your device to support offline use and notifications.

We use the information described above to:

• Operate the Service — create and manage accounts, generate and track referral links (including Partner referral links), route booking requests to the right Provider, review and process Partner Program applications, calculate and issue rewards, affiliate commissions, and Partner bounties, and process subscription billing;
• Communicate with you — send account, booking, reminder, reward, and referral-related messages by SMS and/or email (consistent with the choices you've made), respond to support requests, and (where you've agreed) send product updates;
• Personalize the experience — tailor referral pages, reward suggestions, and messaging templates to a Provider's profession and a Client's activity;
• Keep the Service safe and accountable — detect and prevent fraud, abuse, or security incidents; maintain the audit log described below; enforce our Terms; and meet legal and regulatory obligations;
• Improve the Service — understand how features are used (in aggregate or de-identified form wherever practical) so we can fix problems and build better tools.

We don't sell your personal information. We share it only in the following circumstances:

• With the Provider you're interacting with — if you're a Client or Affiliate, the Provider whose referral program you're part of can see the information relevant to that relationship (for example, your name, contact details, booking history, referral activity, or commission records), because they need it to run their business and fulfil rewards or commissions. (Partners are different — see Section 5A: we don't share a Partner's personal details with the businesses they refer, or vice versa, beyond what's needed to run and audit the Partner Program.)
• With service providers who help us operate — payment processing (Square), SMS and email delivery, cloud hosting and storage, and similar vendors who process information on our behalf under contractual confidentiality and security obligations, and only to the extent needed to provide their service to us.
• For legal and safety reasons — where we believe in good faith that disclosure is required by law, regulation, legal process, or governmental request, or is necessary to protect the rights, property, or safety of RefrdBy, our users, or the public.
• In connection with a business transaction — if RefrdBy is involved in a merger, acquisition, financing, reorganization, or sale of assets, information may be transferred as part of that transaction, subject to the protections described in this policy.
• With your direction or consent — for any other purpose disclosed to you at the time of collection, or with your agreement.

Because RefrdBy handles bookings, rewards, and commissions involving real people and real money, we maintain an internal, admin-only audit log that timestamps significant actions taken by Providers, Clients, Affiliates, and admins — for example, logins, account changes, client and appointment activity, reward and commission events, and admin actions — together with a short description, the type of actor involved, and the IP address and user-agent the action came from.

This log exists to help administrators understand how the platform is actually being used, investigate suspicious or abusive activity, troubleshoot problems, and meet our security and compliance obligations. It is visible only to platform administrators (not to Providers, Clients, or Affiliates), is retained only as long as reasonably needed for these purposes, and is protected with the same technical and organizational safeguards as the rest of the Service.

The RefrdBy Partner Program is a platform-level affiliate program that RefrdBy operates directly — separate from the Provider-recruited Affiliate program described elsewhere in this policy and in our Terms. If you apply to or take part in it, here's specifically how we handle your information:

Referral attribution. Each approved Partner gets a unique referral link/code. When someone follows that link, the Service records the click and may store the referral code in that visitor's browser (for example, in local storage) for a limited time, so that if they go on to create a RefrdBy account, the resulting signup can be attributed to the right Partner. This mechanism exists solely to calculate Partner bounties — it isn't used to build advertising profiles or to track people across unrelated websites.

No full financial account details. We intentionally avoid collecting or storing complete bank account numbers, card numbers, routing numbers, or similar full financial account details for Partner payouts anywhere in the Service. We only ask Partners for a preferred payout method (such as "check" or "ACH") and any free-text notes they'd like to provide; if we need fuller payment details to actually send a bounty, we request and exchange them securely by email, outside the Service.

Who can see what. A Partner's application details, referral activity, and bounty/commission records are visible to RefrdBy administrators (so we can run and audit the program) and to the Partner themselves through the Partner Portal. We don't share a Partner's personal contact information with the businesses they refer, and we don't share a referred business's account details with the Partner beyond aggregate activity (such as click and signup counts) and the minimal information needed to confirm a bounty has qualified.

Retention. We keep Partner application, profile, and referral/bounty information for as long as the Partner relationship is active and for a reasonable period afterward, consistent with Section 8 (Data retention) — for example, to pay out bounties that were earned before a Partner's account was paused or closed, and to meet our accounting, audit, and legal obligations.

We use cookies, local storage, and similar technologies to keep you signed in (for example, storing your session token), remember your preferences, understand how the Service is used, and — where applicable — measure the effectiveness of referral links and campaigns.

Most browsers let you block or delete cookies through their settings; doing so may affect your ability to stay signed in or use certain features. We honor the choices outlined in any cookie or consent banner we show you, and we choose the most privacy-protective option by default where one is presented.

If you provide a phone number or email address — whether as a Provider, Client, or Affiliate — the Service may use it to send operational messages such as booking confirmations, appointment reminders, post-visit follow-ups, reward and referral notifications, and account-related notices, consistent with any consent you've given (for example, an SMS-consent checkbox on a booking form).

You can opt out of SMS messages at any time by replying STOP, and out of marketing emails using the unsubscribe link included in those messages. You may continue to receive transactional or service-related messages that are necessary to operate your account or fulfil a request you've made (for example, a confirmation for a booking you submitted).

We keep personal information for as long as your account is active or as needed to provide the Service, and for a reasonable period afterward to meet legal, accounting, dispute-resolution, security, and audit obligations (including the audit log described in Section 5). When information is no longer needed for these purposes, we delete it or render it anonymous.

Providers who add or import Client information are responsible for retaining it only as long as needed for their own business and legal purposes, and for honoring deletion requests from their Clients where applicable.

We use technical and organizational measures designed to protect information against unauthorized access, alteration, disclosure, or destruction — including encrypting passwords, using secure connections (HTTPS), and limiting administrative access to systems that store personal information. No method of transmission or storage is completely secure, however, and we can't guarantee absolute security.

If you believe your account has been compromised or you've spotted a security issue, please contact us right away at hello@refrdby.com.

Depending on where you live, you may have rights to access, correct, delete, or receive a copy of your personal information, to object to or restrict certain processing, or to withdraw consent you've previously given (for example, for SMS messages). You can update most account information directly from your account settings, or contact us at hello@refrdby.com to make a request.

If you're a Client and your information was added by a Provider, the quickest way to update or remove it is often to contact that Provider directly — but you're welcome to reach us as well, and we'll coordinate with the Provider where appropriate.

We respond to verifiable requests in accordance with applicable law (which may include frameworks such as the EU/UK GDPR or U.S. state privacy laws like the CCPA/CPRA, depending on where you're located), and we won't discriminate against you for exercising your rights.

The Service is intended for use by adults running, working with, or interacting with a local business, and isn't directed at children. We don't knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us so we can delete it.

RefrdBy and the third-party service providers we use may process and store information in countries other than the one where you live. Where we transfer information internationally, we take steps intended to ensure it receives an adequate level of protection in line with applicable law.

We may update this Privacy Policy from time to time — for example, to reflect new features, legal requirements, or how we work with service providers. If we make material changes, we'll provide reasonable notice (such as an in-app notice or email) before they take effect. The "Effective" date at the top of this page always reflects the version currently in force.

Questions, requests, or concerns about this policy or your information can be sent to hello@refrdby.com.