Terms & Conditions
Effective: December 20, 2023
AmbassadorFlow means the referral, ambassador & influencer technology service provider, operated by GrowSocial LTD, a company registered in Malta (C 79065).
Merchant means the e-commerce operator from which a purchase is made, and may be referred to as the Store, Retailer, or Brand.
Customer means a person who makes a purchase from the Merchant’s e-commerce store.
Ambassador Center means the branded portal where an Ambassador can view referral information, rewards, and related materials.
Ambassador means a Customer who participates in the referral program by promoting a referral coupon and/or Referral Link; an Ambassador can also be an influencer.
Referral Link means the Ambassador’s personal link that automatically activates the Ambassador’s referral code when used.
This section describes processing of personal data in the Ambassador Center and supplements the Merchant’s primary privacy policy in Part 1. The Merchant is the data controller for personal data processed in connection with the referral program. AmbassadorFlow acts as the Merchant’s data processor and processes personal data only on documented instructions. AmbassadorFlow’s general privacy information is available at ambassadorflow.com/privacy-policy-gdpr/.
Ambassadors may be created automatically following a purchase. Delivery of invitation and update communications (email or SMS) depends on the Merchant’s configuration and the Customer’s marketing preferences as recorded by the Merchant.
| Category | Examples | Purpose |
|---|---|---|
| Identity & contact | Name, email, phone | Creation and management of Ambassador Center access; program communications |
| Addresses | Billing and/or shipping address | Eligibility checks, fraud prevention, payout compliance |
| Order & referral | Order IDs, line items, totals (incl./excl. tax), currency, coupon used | Attribution, reward calculation/adjustment, abuse prevention |
| Consent & preferences | Marketing-consent flags; language/locale | Respect for opt-in/opt-out status; correct localization |
| Activity in the Ambassador Center | Clicks on share buttons; “copy link” events | Operation of features and accurate reporting to the Ambassador |
| Technical | IP address and browser user-agent at key events | Security logging and fraud detection |
| Payout details (if used) | Bank transfer details or other payout identifiers | Reward delivery and accounting/tax compliance |
| Tax identifiers (only when required) | VAT/TIN when payout thresholds under applicable law are exceeded (e.g., about USD 600) | Statutory reporting and compliance |
Passwords, if any, are stored as secure, non-reversible hashes and are never stored in plain text.
The Merchant’s e-commerce platform transmits Customer and order details to AmbassadorFlow via secure APIs/webhooks when relevant events occur. The Ambassador Center records limited technical data (such as IP address and user-agent) at sign-in and during key actions (for example, using share functions). No separate product analytics tied to identity are operated by the Ambassador Center.
On the Merchant’s instructions, AmbassadorFlow may send program communications (for example, invitation, reward notifications, payout status, periodic summaries) by email using SendGrid. The Merchant may alternatively send communications using its own provider (for example, Klaviyo, Mailchimp, or SMTP). SMS may be sent using BulkGate where enabled. Marketing-consent flags provided by the Merchant are honored.
AmbassadorFlow assists the Merchant in identifying suspected abuse (including self-referrals) using indicators such as overlapping email, address, IP, user-agent, and timing patterns. Automated systems may flag activity and, in most cases, automatically hold or adjust rewards; manual review may also be conducted. Where an automated decision materially affects an Ambassador, the Ambassador may request human review through the Merchant.
Programs may include store credit, cashback/refund, bank transfer, free gifts, or custom benefits. Where bank transfer or similar payouts are enabled, payout details are stored to process rewards and to satisfy accounting/tax obligations. Rewards are recalculated or reversed if an order is refunded or charged back.
The current list of subprocessors is maintained at ambassadorflow.com/sub-processor-list/. Personal data is not sold.
Data used by the Ambassador Center is stored in the EEA. Where a provider operates outside the EEA/UK (for example, email delivery), transfers rely on Standard Contractual Clauses (SCCs) and appropriate safeguards as published on the subprocessor page linked above.
Requests to access, correct, delete, restrict, object to, or port personal data, or to withdraw marketing consent, should be directed to the Merchant using the contact details in Part 1. AmbassadorFlow supports the Merchant in fulfilling such requests. Where deletion conflicts with legal retention duties (for example, payout records), data will be minimized or pseudonymized.
AmbassadorFlow implements appropriate technical and organizational measures, including encryption in transit (TLS), hashed passwords, role-based access controls, regular backups with tested restores, and audit/server logs retained up to 12 months. Data-processing agreements are in place with subprocessors, and international transfers use SCCs where legally required. The Merchant will be informed without undue delay of personal-data breaches relevant to the Ambassador Center.
The Ambassador Center is intended for persons aged 16 and over. It is not knowingly used to collect data from children under 16.
The Ambassador Center may operate on a domain provided by AmbassadorFlow or on a custom domain (CNAME) supplied by the Merchant (for example, ambassador.yourstore.com). Equivalent data-protection controls apply. Functionally equivalent integrations are provided for common platforms, including Shopify.