Privacy Policy

Who we are

Royalty Paid is a curated affiliate network for creators, operated by Robert Fruman and Felipe Wills. We can be reached at hello@royaltypaid.com. For privacy-specific requests, use the same address with the subject line “Privacy Request.”

What we collect

We collect only what we need to run the network:

• From creator applicants: name, email address, phone number, social handle, primary posting platform, niche, and the brands you said you actually buy from.
• From waitlist signups: email address, social handle, primary platform; optionally name and phone if you choose to provide them.
• From brand applicants: company name, website, contact name, contact email, niche, and the products you want creators to promote.
• From signed-in creators: the same information collected at application, plus deal activity, tracking-link clicks, sales data passed to us by brand platforms, and payout records once payouts begin.
• Automatically: standard server logs (IP address, user-agent, timestamps) for security and abuse prevention. We do not run third-party analytics, advertising trackers, or pixels on this site.

Why we collect it

• To review applications and decide who joins the network.
• To match approved creators with relevant brand deals.
• To provide the creator portal, including tracking, samples, and payouts.
• To contact you about your application, your account, your deals, or important changes to the service.
• To prevent fraud and enforce our Terms of Service.
• To meet our tax, accounting, and legal obligations.

We do not sell your personal information. We do not use it to train AI models. Phone numbers are used to contact you about your application or your deals — we do not send marketing text messages.

Who we share it with

We share information only with the parties we need to in order to run the service:

• Brands in the network: when a creator is matched to a deal, we share the information the brand reasonably needs to fulfill the deal — typically handle, primary platform, and shipping address for product seeding. Sensitive contact details (your email and phone) are not shared with brands without your knowledge.
• Service providers (subprocessors) who run the technical infrastructure on our behalf:
• Supabase — database and authentication
• Vercel — hosting
• Resend — transactional email
• Shopify — for brands that connect their Shopify store to the network via the Royalty Paid Shopify app (see “Shopify integration” below)
• Legal and compliance: we will disclose information if required by law, court order, or to protect against fraud or harm.
• Business transfer: if the network is ever sold, merged, or otherwise transferred, your information will move with it. The acquiring party will be bound by this policy or one materially similar.

When we add new subprocessors — for example, a payments provider once we launch automated payouts — we will update this list before the new provider receives any data.

How long we keep it

• Waitlist signups: until you ask us to delete them or until we decide to retire the waitlist, whichever comes first.
• Denied or withdrawn applications: 12 months after the final decision, then deleted.
• Approved creators while active: retained for the duration of the relationship.
• Approved creators after deactivation: retained for up to seven years to satisfy tax, accounting, and audit obligations, then deleted unless we are required by law to keep them longer.
• Brand applications and accounts: retained for the duration of the relationship plus seven years.
• Server logs: retained for up to 90 days, then rotated.

Your choices and rights

You can ask us, at any time, to:

• Show you what information we hold about you.
• Correct anything that is wrong.
• Delete your information, subject to our legal retention obligations above.
• Export your information in a machine-readable format.
• Stop processing your information for marketing or non-essential communications.

Email hello@royaltypaid.com with the subject line “Privacy Request” and we will respond within 30 days. We may need to verify your identity before acting on a request.

For deletion-specific instructions, see Data deletion.

California residents have additional rights under the CCPA and may submit requests through the same address. We do not knowingly “sell” or “share” personal information as those terms are defined under California law.

Cookies

We use only the cookies required for the service to function: a session cookie when you sign in to the creator portal, and an admin session cookie for the internal review queue. We do not run advertising, social-media, or analytics cookies.

Brands that connect their Shopify store via our app also have a small attribution cookie set on their own storefront — see “Shopify integration” below.

Shopify integration

When a brand connects its Shopify store to the Royalty Paid network by installing our Shopify app (“Royalty Paid attribution”), the app reads and stores a narrow slice of Shopify data needed to attribute orders to the right creator and to comply with Shopify's privacy webhooks.

Scopes the app requests

• read_orders — so we can subscribe to order webhooks (orders/create, orders/cancelled, refunds/create) and identify which orders were driven by Royalty Paid creators.
• read_customers — required by Shopify so the app can acknowledge GDPR compliance webhooks (customers/data_request, customers/redact, shop/redact). We do not query customer records ourselves.

What we read from order webhooks

• Order ID, total sale value, currency, and processed timestamp.
• Discount code applied to the order (if any) — used to attribute via creator promo codes.
• The note_attributes our storefront app embed wrote at cart time: rp_click_id (a Royalty Paid click identifier) and rp_promo_code.
• The shop's .myshopify.com permanent domain — used to look up which connected brand the order belongs to.

We do not read or store customer names, emails, phone numbers, shipping addresses, billing addresses, line-item product details, or any other personal data from order webhooks. The full raw webhook payload is briefly written to our internal audit log for forensic-debugging purposes and is rotated within 90 days.

Storefront cookie + localStorage

When a customer arrives at a connected brand's Shopify storefront via a Royalty Paid affiliate link (e.g., ?rp_click=…&rp_promo=…), our app embed stores those identifiers in:

• A first-party rp_click + rp_promo cookie on the brand's storefront domain, with a 14-day lifetime, SameSite=Lax, Secure over HTTPS.
• The browser's localStorage on the brand's storefront origin, same values.

These identifiers are then copied into the Shopify cart's note_attributes when the customer interacts with the cart, so the order webhook arrives with attribution intact. They are not personal information: they're internal Royalty Paid identifiers (a UUID and a promo code) that have meaning only inside our database.

What we store on our side

• The brand's .myshopify.com domain.
• An offline access token Shopify issued at install (used to subscribe webhooks; encrypted at rest).
• Per-order: ID, sale value, commission, attribution metadata. No customer data.
• Audit log entries with the raw webhook payload (auto-rotated).

GDPR compliance webhooks

Shopify requires every public app to acknowledge three compliance webhooks: customers/data_request, customers/redact, and shop/redact. Because we do not store customer personal data, our endpoint at /api/webhook/shopify/gdpr simply records the request in our audit log and returns a 200 acknowledgment. If a brand uninstalls our app or deletes their Shopify store, we automatically clear our local copy of their connection state and access token.

How to disconnect

Brands can uninstall the app at any time from their Shopify Admin → Apps. We process theapp/uninstalled webhook automatically and stop processing further events for that store. To additionally request deletion of historical sales data we attributed for that store, contact hello@royaltypaid.com with the subject “Shopify deletion request.”

Social platform integrations

Instagram, TikTok, and YouTube account connections are not live in the creator portal at this policy version. Creators can use Royalty Paid links and promo codes manually without granting social-account OAuth access. Before any social-platform OAuth feature is launched, this policy will list the platform, scopes, data fields, retention window, disconnect path, and deletion behavior.

Children

Royalty Paid is not directed to anyone under 18. We do not knowingly collect information from minors. If you believe a minor has submitted information to us, contact us and we will delete it.

International use

Royalty Paid is operated from the United States and our service providers store information on servers in the United States. By using the site you understand that your information may be transferred to and processed in the United States, which may have different data-protection rules than your country of residence.

Security

We use industry-standard practices to protect information: encrypted transport (HTTPS), encrypted database storage, scoped access to production data, and password hashing for accounts. No system is perfectly secure, and we cannot guarantee absolute security.

Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top of this page will change. For material changes that affect your rights, we will email signed-in creators at least 14 days before the new version takes effect.

Contact

Questions, complaints, or privacy requests: hello@royaltypaid.com.