Privacy Policy

1. Data Controller

The data controller for the Webmachine platform is PRPPC OU, registered in Estonia at Harju maakond, Tallinn, Kesklinna linnaosa, Pärnu mnt 105, 11312. We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (GDPR) and applicable Estonian data protection laws.

2. Information We Collect

2.1 Account Information

• Full name and email address
• Password (stored as a bcrypt hash, never in plain text)
• Account role (Advertiser or Affiliate)
• Company name and details (if applicable)
• Profile avatar

2.2 Financial Information

• Wallet balance and transaction history
• Cryptocurrency wallet addresses (for withdrawal purposes)
• Payment method preferences
• Settlement records and earning history

2.3 Tracking & Technical Data

• IP addresses (for fraud detection and geo-targeting)
• Device information and browser user agent
• Click, impression, and conversion data
• Session information including login timestamps and device details
• Geolocation data derived from IP addresses

2.4 Communication Data

• Support communications and inquiries
• Notification preferences
• Platform activity logs

3. How We Use Your Data

We process your personal data for the following purposes:

• Platform Operation: To create and manage your account, process transactions, and deliver our services.
• Campaign Tracking: To accurately track clicks, impressions, and conversions for campaign performance reporting.
• Fraud Prevention: To detect and prevent fraudulent activity using IP analysis, device fingerprinting, click velocity checks, and conversion rate monitoring.
• Financial Processing: To manage wallet balances, process settlements (T+7), and execute withdrawals.
• Security: To protect accounts through session management, 2FA, and login monitoring.
• Communication: To send transactional notifications, platform updates, and security alerts.
• Analytics: To generate aggregated platform statistics and performance reports.

4. Legal Basis for Processing

• Contract Performance: Processing necessary to fulfill our service agreement with you (account management, payments, campaign tracking).
• Legitimate Interest: Fraud detection, platform security, and service improvement.
• Legal Obligation: Compliance with financial regulations, tax requirements, and law enforcement requests.
• Consent: Marketing communications and optional analytics (where applicable).

5. Data Sharing

We do not sell your personal data. We may share data with:

• Payment Processors: To facilitate fund deposits and withdrawals.
• Infrastructure Providers: Cloud hosting, CDN, and database services necessary to operate the platform.
• Analytics Partners: Aggregated, anonymized data for platform performance analysis.
• Legal Authorities: When required by law, court order, or to protect the rights and safety of Webmachine and its users.

6. Data Retention

• Account Data: Retained for the duration of your account and up to 2 years after account closure.
• Tracking Events: Partitioned by month; retained for 24 months for reporting and dispute resolution.
• Financial Records: Retained for 7 years in compliance with accounting and tax regulations.
• Fraud Alerts: Retained for 5 years for pattern analysis and platform integrity.
• Session Logs: Retained for 90 days.

7. Your Rights

Under the GDPR, you have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your data (subject to legal retention requirements).
• Restriction: Request limitation of processing in certain circumstances.
• Portability: Request your data in a structured, machine-readable format.
• Objection: Object to processing based on legitimate interest.

To exercise these rights, contact us at [email protected]. We will respond within 30 days. For more details, see our GDPR Compliance page.

8. Security Measures

We implement robust security measures to protect your data:

• Password hashing with bcrypt (12 rounds)
• Two-factor authentication (TOTP) with Google Authenticator support
• Single active session enforcement with real-time force-logout
• Rate limiting on API endpoints (100 requests per window)
• Encrypted data transmission (TLS/SSL)
• Regular security audits and vulnerability assessments

9. International Transfers

As an Estonia-based company operating within the EU, your data is primarily processed within the European Economic Area (EEA). If data transfer outside the EEA is necessary, we ensure appropriate safeguards such as Standard Contractual Clauses (SCCs) are in place.

10. Contact & Complaints

If you are unsatisfied with our response, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or your local supervisory authority.