Youfiliate youfiliate

Privacy Policy

Last updated: March 21, 2026

Introduction

Youfiliate (“we,” “us,” or “our”) operates the website youfiliate.com, the smart link redirect service at youfil.to, and the Youfiliate application (collectively, the “Service”). This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our Service.

Youfiliate is operated from Portugal, within the European Union. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) and applicable data protection laws.

By using our Service, you acknowledge that you have read and understood this Privacy Policy.

Data Controller

Youfiliate Lisbon, Portugal Contact: andrew@youfiliate.com

What Data We Collect

Account Data

When you create an account, we collect:

  • Email address
  • Password (stored in hashed form; we never store or have access to your plaintext password)
  • Name (if provided)

If you sign in via Google OAuth, we receive your email address and name from Google. We do not receive or store your Google password.

Payment Data

When you subscribe to a paid plan, payment is processed by Stripe, Inc. We do not store your credit card number, CVC, or full payment details on our servers. Stripe handles all payment processing in compliance with PCI-DSS standards. We receive and store:

  • Stripe customer ID
  • Subscription status and plan type
  • Billing email
  • Last four digits of your payment method (for display purposes)

For more information, see Stripe’s Privacy Policy.

When someone clicks a smart link (youfil.to), we collect the following data about the click:

  • Country — determined from the Cloudflare CF-IPCountry HTTP header or MaxMind GeoLite2 database lookup. Used for geo-routing and analytics.
  • Device type, operating system, and browser — parsed from the User-Agent header. Used for deep linking and analytics.
  • Referrer domain — the domain the click originated from (e.g., youtube.com). Used for analytics.
  • IP address hash — we hash IP addresses with a daily rotating salt. We never store raw IP addresses. The hash is used for approximate unique visitor counting and cannot be reversed to identify individuals.
  • Timestamp — when the click occurred.

Click data is associated with the smart link, not with any identifiable end user. We do not use cookies, fingerprinting, or cross-site tracking on the youfil.to redirect service.

YouTube Channel Data

If you use the YouTube Auto-Migration feature, you authorize us to access your YouTube account via OAuth. This grants us access to:

  • Your channel name and ID
  • Video titles and descriptions (to identify affiliate links)
  • The ability to update video descriptions (to replace affiliate links with smart links)

We access YouTube data only when you explicitly initiate a migration. We store:

  • Your YouTube OAuth access token and refresh token (for API access)
  • Video titles and descriptions (to enable preview and rollback)
  • Original descriptions are backed up so you can restore them at any time

You can disconnect your YouTube account at any time from the Settings page, which deletes all stored OAuth tokens.

Affiliate Tag Data

If you save Amazon affiliate tags in your settings, we store your per-country affiliate tags so they can be automatically applied when creating smart links.

Usage Data

We automatically collect certain information when you use our Service:

  • Browser type and version
  • Pages visited and features used
  • Date and time of access
  • Referring URL

We use Plausible Analytics on our landing page, which is privacy-focused and does not use cookies or collect personal data.

Cookies

We use essential cookies required for the Service to function (e.g., session authentication via JWT tokens stored in localStorage). We do not use third-party tracking cookies in the application.

How We Use Your Data

We use your personal data for the following purposes:

  • To provide the Service — creating and managing your account, processing subscriptions, creating and managing smart links, performing geo-routing, recording click analytics, and executing YouTube migrations.
  • To process payments — managing billing and subscriptions through Stripe.
  • To communicate with you — sending transactional emails (account confirmations, password resets, billing notifications) via SendGrid.
  • To send marketing communications — with your explicit consent, sending product updates, tips, and newsletters. You can unsubscribe at any time.
  • To improve the Service — analyzing usage patterns to improve features and user experience.
  • To ensure security — detecting and preventing fraud, abuse, and unauthorized access.
  • To monitor link health — periodically checking destination URLs for availability and reporting broken links.

We process your personal data based on the following legal grounds:

  • Contract performance — processing necessary to provide you the Service you signed up for (account data, payment data, smart link creation, click routing, YouTube migration).
  • Consent — for marketing emails, YouTube OAuth access, and non-essential cookies. You may withdraw consent at any time.
  • Legitimate interest — for usage analytics, security, click analytics on smart links, and Service improvement, where our interests do not override your rights.

Who We Share Data With

We share personal data only with the following categories of service providers, who act as data processors on our behalf:

ProviderPurposeData Shared
StripePayment processingEmail, payment method details
SendGridTransactional and marketing emailEmail address, name
RenderApplication hostingData stored in our database
CloudflareCDN, DNS, and geo-IP resolutionIP address (for geo-routing), request data
MaxMindGeoIP database (fallback)IP address (processed locally, not sent to MaxMind)
Google/YouTubeYouTube Data APIYouTube OAuth tokens, video data
VercelLanding page hostingIP address, usage data

We do not sell your personal data to third parties. We may disclose data if required by law or to protect our legal rights.

Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Specifically:

  • Account data — retained until you delete your account.
  • Payment data — retained as required for tax and legal obligations (typically 7 years for financial records).
  • Smart link click data — retained for up to 12 months, then automatically deleted. IP hashes use daily rotating salts and cannot be correlated across days.
  • YouTube OAuth tokens — retained until you disconnect YouTube or delete your account.
  • YouTube description backups — retained as long as the associated migration exists, to support rollback.
  • Usage data — retained for up to 24 months, then anonymized or deleted.
  • Marketing consent records — retained as long as consent is active, plus a reasonable period after withdrawal for record-keeping.

When you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law.

Your Rights (GDPR)

Under the GDPR, you have the following rights:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — request correction of inaccurate data.
  • Erasure — request deletion of your data (“right to be forgotten”).
  • Restriction — request that we limit processing of your data.
  • Portability — request your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interest.
  • Withdraw consent — withdraw consent for marketing emails, YouTube OAuth access, or cookies at any time.

To exercise any of these rights, contact us at andrew@youfiliate.com. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. In Portugal, this is the Comissao Nacional de Protecao de Dados (CNPD) at www.cnpd.pt.

International Data Transfers

Some of our service providers (Stripe, SendGrid, Render, Vercel, Google, Cloudflare) are based in the United States. Where personal data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or the service provider’s participation in recognized data protection frameworks.

Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encrypted data transmission (TLS/HTTPS)
  • Hashed password storage
  • Hashed IP addresses with daily rotating salts (no raw IPs stored)
  • Access controls and authentication
  • Regular security reviews

No method of transmission or storage is 100% secure. If you become aware of a security vulnerability, please contact us at andrew@youfiliate.com.

Children’s Privacy

Our Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the Service. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

andrew@youfiliate.com