Partner privacy policy.
What personal data we collect from Partners and their staff, how we use it, who we share it with, how long we keep it, and the rights you have over it.
01Scope of this policy
This Partner Privacy Policy describes the personal data Message.com LLC ("Message," "we," or "us") collects from Partners and from individuals working on behalf of Partners (founders, employees, contractors, finance contacts) when you participate in the Message.com Partner Program (the "Program").
This policy does not apply to personal data we process about the end users, customers, or visitors of any Partner's site or product. Where you bring a client to our platform and that client's end users interact with Message, that processing is governed by the main Privacy Policy and the Data Processing Addendum.
If a section of this policy and the main Privacy Policy address the same situation, this policy controls for matters specific to the Program. Otherwise the main Privacy Policy fills the gaps.
02Information we collect from Partners
We collect the following categories of personal data from Partners and their staff:
- Identity and contact. Your name, business name, email address, phone number, postal address, role at the Partner, and the names and emails of additional contacts you nominate.
- Business detail. Company registration number, website, audience size, country of operation, target market, prior partnerships, marketing channels you operate.
- Payout and tax. Bank account or PayPal address, Stripe Connect account ID, IRS Form W-9 or W-8 series, VAT or GST number, and the routing information your payout method requires. Sensitive bank data is held by our payout processor, not by us in the clear.
- Performance and traffic. Clicks and conversions on your tracked links, geographic distribution of referred traffic, UTM and campaign metadata you set, signups and net revenue attributed to you.
- Communications. Emails, support tickets, partner-portal messages, recorded video calls if you opt in, and notes our team takes when working with you.
- Compliance. KYC and sanctions screening results (which we re-run on a risk basis), any disputes or chargeback notices, and the outcome of any abuse or fraud investigation.
We do not knowingly collect special categories of data from Partners (health, biometric, sexual orientation, religion, political opinion, etc.). Do not submit such data through the partner portal.
03How we use Partner data
We use Partner data to:
- Run the Program day to day: track referrals, calculate commissions, pay out, send statements, and respond to your questions.
- Detect and prevent fraud, attribution abuse, and breaches of the Partner Program Terms.
- Report your performance back to you in dashboards and send transactional notifications (new signup, commission earned, payout sent).
- Improve the Program: aggregate, anonymize, and analyze performance across the Partner base to set commission tiers, identify training needs, and tune the partner portal.
- Send Partner marketing: program updates, training opportunities, co-marketing offers, and product news that is specifically relevant to Partners. You can opt out at any time without affecting your commissions.
- Meet our legal, accounting, and tax obligations, including the issuance of Form 1099-NEC and the records required by our auditors and by tax authorities.
04Legal bases (GDPR and UK GDPR)
Where the GDPR or UK GDPR applies, our legal bases are:
- Contract. Most processing is necessary to operate the Partner Program Terms you accepted: running the partner account, tracking referrals, paying out, and providing support.
- Legitimate interests. Fraud prevention, security monitoring, performance analytics, audit logging, and improving the Program. We have weighed these interests against your privacy and concluded the processing is proportionate; you can object at any time.
- Consent. Optional Partner marketing emails, optional case-study participation, and any onboarding video recording you opt into. You can withdraw consent at any time.
- Legal obligation. Tax reporting, sanctions screening, AML record-keeping, and responding to lawful regulatory or judicial requests.
05Who we share Partner data with
We share Partner data only as needed and only with the categories of recipient below:
- Payout processors. Stripe (Stripe Connect), PayPal, and our banking partner for wire transfers. These processors act as independent controllers for the payout transaction.
- Tax authorities. The US Internal Revenue Service, equivalent foreign tax authorities where required, and any state or local taxing body with jurisdiction over our payments.
- Our auditors and accountants. A small number of named individuals at our accounting and audit firms, under written confidentiality, for tax filing, financial audit, and SOC 2 work.
- Our infrastructure and tooling sub-processors. The same sub-processors that support the main platform, listed at /legal/sub-processors. These vendors process Partner data as processors on our instructions only.
- Professional advisors. Lawyers and consultants when we need advice on a specific matter that involves Partner data.
- Acquirers. In the event of a merger, financing, or asset sale, prospective acquirers under written confidentiality, and the actual acquirer if the transaction closes. We will update this policy before any change in controller takes effect.
- Law enforcement and regulators. When we are legally compelled or when we reasonably believe disclosure is necessary to protect the safety of any person.
We do not sell Partner data, and we do not share it with advertisers or data brokers.
06Retention
We keep Partner account data for the duration of the partnership and for seven years after termination, which is the period our US tax and audit obligations require for commission records. Some specific categories have shorter or longer windows:
- Authentication and access logs: 12 months.
- Support ticket bodies: 24 months after closure.
- Marketing email opt-in and opt-out history: as long as you remain on the list plus three years after unsubscribe (to honor the unsubscribe).
- Tax forms and payout records: seven years after the close of the tax year they relate to.
- KYC and sanctions screening records: five years from the date of the screening, as required by AML rules.
On request we will delete what we can earlier, subject to the legal retention floors above. Where we cannot delete, we will restrict processing so the data is used only to meet the legal obligation.
07Security
We apply the same security model to Partner data that we apply to customer data: encryption at rest (AES-256), encryption in transit (TLS 1.2+), role-based access with least-privilege defaults, mandatory MFA for production access, quarterly access reviews, immutable audit logs retained for one year, encrypted backups, continuous vulnerability scanning, and an annual SOC 2 Type II audit.
Payout details (full bank account number, full card number) are stored by our payout processors, not by us in the clear. Our staff see only the last four digits and the processor token. Detail on the broader posture lives at /trust and in the Data Security Policy linked from the legal index at /legal.
08Partner rights
Depending on your jurisdiction, you may have the right to access, correct, port, restrict, object to, or delete the personal data we hold about you, and to withdraw consent where we rely on it. To exercise any of these rights, log in to the partner portal where most controls are self-service, or email [email protected]with the subject line "Partner data request."
We verify the request, fulfill it within 30 days, and explain in writing if we cannot fulfill it in whole (typically because of a legal retention floor). There is no charge for a reasonable first request in a 12-month window; for repeated or excessive requests we may charge a reasonable fee or decline.
If you believe we have mishandled your data and we have not resolved it to your satisfaction, you may complain to your local supervisory authority. EEA residents can reach the relevant data protection authority for their country; UK residents the ICO; California residents the California Privacy Protection Agency.
09International transfers
Message is based in the United States. When Partner data moves from the EEA, the UK, or Switzerland to the US or another country without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (2021/914) and, for UK transfers, the UK International Data Transfer Addendum. These clauses are incorporated by reference into our agreement with Partners.
You can request a copy of the relevant transfer clauses by emailing [email protected]. For more on transfers, see the International Data Transfer notice linked from /legal.
10Children
The Partner Program is open only to individuals 18 or older and to legal entities. We do not knowingly accept partners under 18, and we do not knowingly process personal data of children through the Program. If you believe we have collected data from a minor through the Program, email [email protected] and we will delete it.
11Changes to this policy
We may update this policy. When we make a material change (for example expanding the categories of data we collect, adding a new payout processor that introduces a new sub-processor, or changing how long we retain a category), we will email the change to the contact on file at least 30 days before it takes effect, and we will update the "Last updated" date at the top of this page.
Continuing to participate in the Program after the effective date means you accept the change. If you disagree with a change, you can terminate under the Partner Program Terms.
12Contact and disputes
Privacy questions and rights requests: [email protected]. Legal escalations: [email protected]. Postal mail: Message.com LLC, 363 N Sam Houston Pkwy E Ste 125, Houston, TX 77060, United States.
Disputes about this policy follow the governing-law and dispute-resolution provisions of the Partner Program Terms: Texas law, AAA arbitration, Houston seat, no class actions.
Have a Partner data request?
Email [email protected] with the subject line Partner data request. We respond within 30 days, usually within three business days.
Start free trial →