Privacy policy

Who we are

ReferLayer is operated by ReferLayer, Inc. ("ReferLayer", "we", "us"). For privacy questions, write to [email protected].

What we collect

• Account data. Email address (used as your login identifier), name, optional phone number, profile photo URL, and the organizations you belong to.
• Operational data. Programs, partnerships, opportunities you submit or own, status changes, activities, payouts, notifications, audit history, and onboarding progress.
• Prospect data. When a partner rep submits a referral or registers a deal, we collect the prospect's name and contact details. We treat this as personal data of the prospect and apply the same retention and access controls as for users.
• Usage data. IP addresses, user agents, login timestamps, and audit-log entries for state-changing actions.
• SMS data. If you opt in to SMS notifications, we record the consent (phone, organization, source, IP, user agent) and a log of every message sent and received. See SMS opt-in and opt-out below.
• Payment data. Stripe processes payments for us. We store only the Stripe customer ID and subscription state — card numbers never touch our infrastructure.

Why we collect it

We use the data to run the service: authenticate you, route opportunities to the right organization, calculate compensation, deliver notifications, generate reports, and meet our own legal obligations. We do not sell personal data and we do not use it to train machine-learning models.

Multi-tenant isolation

Every tenant-scoped table in our database has a Postgres Row-Level Security policy that filters rows by your active organization. A user in organization A cannot read data from organization B even if both rows live in the same table. Property-style tests run against this policy on every commit.

How long we keep it

• Account and operational data: for the lifetime of your account, plus up to 30 days after you delete it for backup expiry.
• Audit log: 7 years. The audit log is append-only and survives account deletion in anonymized form, because it is the compliance trail we and our customers rely on for dispute resolution and tax reporting.
• SMS message log: 18 months, then anonymized.
• Encrypted database backups: 90 days (pg_dump + age encryption to Cloudflare R2).

Your rights

Under GDPR and similar laws, you have the right to access, correct, export, and delete your personal data. We expose two endpoints in the app to make this self-service:

• Export — visit Settings → Privacy and click "Download export". You'll get a JSON file with every record on your account.
• Delete — same page, "Delete my account". This anonymizes your profile, signs you out everywhere, and scrubs your personal data. Records that companies you partnered with rely on for their own audit trail (opportunities you submitted, agreements you signed) survive in anonymized form, attributed to a deleted-user placeholder.

SMS opt-in and opt-out

ReferLayer SMS notifications use double opt-in. After you supply a phone number, we send a confirmation text. SMS notifications are not enabled until you reply YES. Reply STOP at any time to opt out — this applies platform-wide, immediately, and with one TCPA-mandated confirmation reply. Reply START to opt back in. Reply HELP for help. Message and data rates may apply.

Sub-processors

• Cloudflare — CDN, WAF, DNS.
• Stripe — payment processing.
• Postmark — transactional email.
• Resend — marketing email.
• Twilio — SMS delivery.
• Sentry — error tracking (no PII payloads).
• Better Stack — uptime monitoring.
• PostHog — product analytics.

Security

TLS 1.3 in transit, encrypted backups at rest, short-lived JWTs with refresh-token rotation, optional TOTP MFA. Static analysis (bandit, pnpm audit) runs against every release. See Help for the full security baseline.

Changes

Material changes to this policy will be announced by email to organization owners at least 30 days before they take effect. The current version is always at referlayer.com/legal/privacy.