Bookora Partner Program — Privacy Addendum
Effective date: 21 April 2026 Last updated: 21 April 2026
This Partner Privacy Addendum (the “Addendum”) explains how Bookora (“Bookora”, “we”, “us”, “our”) collects, uses, discloses, retains, and otherwise processes personal data in connection with the Bookora Partner Program (the “Program”), including the partner application flow at https://partners.bookora.me, the partner portal, and any tracking links, referral codes, or campaign materials we provide you.
It supplements — and must be read together with — the Bookora Partner Program Terms of Service, the Payout and Referral Terms, the Cookie Policy, and the general Bookora privacy notice published at https://bookora.me/legal/privacy. If there is any conflict on partner-specific matters, this Addendum prevails for data processed in the Program.
Capitalized terms not defined here have the meaning given to them in the Partner Program Terms of Service.
1. Who is the controller
Section titled “1. Who is the controller”Bookora is the controller of the personal data described in this Addendum. Contact details for Bookora and, where required, our EU / UK representative and Data Protection Officer are in Section 13.
When you, as a partner, process data about your own audience on your own channels, you are the controller of that data and Bookora is not. You are responsible for giving your audience any notice and collecting any consent required by law.
2. What data we collect
Section titled “2. What data we collect”We collect the following categories of personal data:
2.1. Data you give us through the partner application
Section titled “2.1. Data you give us through the partner application”- Identity data: full name, preferred display name, handle.
- Contact data: email address.
- Channel data: URLs and handles for each channel you list (for example Instagram, TikTok, YouTube, X, podcast, blog, newsletter), platform for each channel, self-reported follower count, average views per post, and optional engagement rate.
- Audience-fit data: audience type / niche, primary audience countries, content formats you use, posting frequency, whether you have done brand partnerships before, a free-text description of a content idea, and a free-text description of why your audience is a fit.
- Consents: the three consent checkboxes you tick on the final step of the application (acceptance of the partner terms, permission to process your data for review, permission to contact you about the application), together with a timestamp and the locale you applied in.
2.2. Data we collect automatically
Section titled “2.2. Data we collect automatically”- Technical data: IP address (truncated where supported), user-agent string, browser language, locale preference, referring URL.
- Application flow data: partner application ID, draft-save events, timestamps of step transitions and submission, the reference code we issue on success.
- Cookie / consent data: consent categories you allow or deny through the cookie banner, the version of the Cookie Policy in effect at the time, and the date of your choice. Details are in our Cookie Policy.
- Device storage: a small record in a first-party cookie on your device that carries your application reference so the confirmation and “check status” experience works (see Section 7 of the Cookie Policy).
2.3. Data we receive after approval
Section titled “2.3. Data we receive after approval”- Banking, tax, and payout information (for example, IBAN or equivalent account identifier, tax residency, VAT or tax ID) you submit so we can pay you under the Payout and Referral Terms.
- Records of communications with our partnerships team.
- Tracking-link performance: clicks, signups, paid conversions, and any fraud signals we detect on your tracking link.
2.4. Data we do not request
Section titled “2.4. Data we do not request”We do not request special-category data (e.g. race, religion, health, sexual orientation), government ID scans, biometric data, or financial account data during the application phase. If you volunteer such data in a free-text field we will delete it promptly on becoming aware of it and will not use it to decide on your application.
3. Why we process it — purposes and legal bases
Section titled “3. Why we process it — purposes and legal bases”For partners and applicants in the EU / UK, we rely on the following Article 6 GDPR legal bases. For partners in other jurisdictions (for example Brazil / LGPD, Canada / PIPEDA, Japan / APPI, California / CCPA-CPRA, Australia / Privacy Act, Switzerland / FADP, United Arab Emirates / PDPL), equivalent bases apply.
| # | Purpose | Data used | Legal basis |
|---|---|---|---|
| 1 | Review your application, evaluate audience fit, and decide whether to accept, reject, or waitlist you | 2.1, 2.2 | Performance of pre-contractual measures at your request (Art. 6(1)(b) GDPR); our legitimate interest in a selective, high-quality Program (Art. 6(1)(f)) |
| 2 | Contact you about your application and the outcome | 2.1, 2.2 | Your consent expressed in the “Bookora may contact me” checkbox (Art. 6(1)(a)); performance of pre-contractual measures (Art. 6(1)(b)) |
| 3 | Run the Program once you are an approved partner — issue tracking links, pay you, measure conversions, send campaign briefs | 2.1, 2.3 | Performance of our contract with you under the Partner Terms (Art. 6(1)(b)); legal obligation for accounting / tax records (Art. 6(1)(c)); legitimate interest in program operation (Art. 6(1)(f)) |
| 4 | Detect and prevent fraud on tracking links (self-referrals, bots, cookie stuffing, click farms) | 2.2, 2.3 | Legitimate interest in protecting the Program and Bookora customers (Art. 6(1)(f)); legal obligation where applicable (Art. 6(1)(c)) |
| 5 | Comply with law — including tax, sanctions, anti-money-laundering, and regulator requests | 2.1, 2.3 | Legal obligation (Art. 6(1)(c)) |
| 6 | Establish, exercise, or defend legal claims | 2.1, 2.2, 2.3 | Legitimate interest (Art. 6(1)(f)); legal obligation (Art. 6(1)(c)) |
| 7 | Improve the partner application flow and the Program — aggregated analytics, A/B tests, funnel analysis | 2.2 (in aggregated form) | Legitimate interest in improving our product (Art. 6(1)(f)); where we use non-essential analytics cookies, your consent via the cookie banner (Art. 6(1)(a), ePrivacy) |
| 8 | Keep our own security and abuse records | 2.2 | Legitimate interest in information security (Art. 6(1)(f)); legal obligation (Art. 6(1)(c)) |
We do not use partner application data for targeted advertising, we do not sell it, and we do not build marketing profiles from it.
4. Automated decision-making
Section titled “4. Automated decision-making”We do not make decisions that produce legal or similarly significant effects about you based on solely automated processing. A human reviewer at Bookora reviews every application before an outcome is issued. Automated systems are used only as assistive tools — for example to deduplicate applications, to flag possible fraud, or to sort by audience size — and a human decides.
5. Who we share it with
Section titled “5. Who we share it with”We share personal data only with the recipients below and only to the extent needed for the purposes in Section 3:
- Service providers (“processors”) acting on our documented
instructions, including:
- Cloud hosting and database providers that store the application and partner portal data.
- Email delivery providers that send transactional emails (for example the approval decision and reference code).
- Customer-operations tooling (for example the ticketing system we use to manage applications and internal review).
- Payment providers and tax tooling used to pay approved partners.
- Analytics and product-instrumentation providers (for example to understand drop-off on the application flow) — only when non-essential cookies are allowed under the Cookie Policy.
- Security, anti-fraud, and logging providers.
- Professional advisors (lawyers, auditors, accountants) under confidentiality obligations.
- Authorities and courts, when we are legally required to disclose or when disclosure is necessary to protect our rights, Bookora users, or the public — and only to the extent required.
- Successors, in the event of a merger, reorganization, sale of assets, or similar corporate transaction, subject to equivalent protection.
We keep a current list of sub-processors for partner data and will make it available on request to partners@bookora.me.
6. International transfers
Section titled “6. International transfers”Bookora’s infrastructure and some service providers are located outside the European Economic Area and the United Kingdom. When personal data is transferred out of the EEA or UK, we rely on one of the following safeguards:
- Adequacy decisions issued by the European Commission or the UK Government for the destination country.
- EU Standard Contractual Clauses (2021/914) and, for UK transfers, the UK International Data Transfer Addendum or IDTA.
- Additional technical and organizational measures — including encryption in transit and at rest and access controls — where the destination country does not have an adequacy decision.
You can request a copy of the safeguards in place by contacting partners@bookora.me.
7. How long we keep it
Section titled “7. How long we keep it”| Category | Retention |
|---|---|
| Application data for rejected applications | Up to 12 months from the decision, then deleted or fully anonymized, unless a longer period is required by law |
| Application data for waitlisted applications | Up to 24 months from the decision, unless we hear from you that you want to be removed sooner |
| Application data for approved partners | Kept for the duration of the Program relationship, then up to 10 years after termination for tax, accounting, and legal-claims reasons, or longer where local law requires |
| Draft application records saved in the partner portal | 90 days of inactivity, then purged |
| Tracking-link, click, and conversion data | Kept for the duration of the Program relationship, then aggregated / pseudonymized within 24 months after termination |
| Email correspondence | 24 months, then archived or deleted |
| Consent records (application consents, cookie consents) | Kept as long as we need to demonstrate a valid consent, typically 5 years after the consent was given or withdrawn |
| Security / audit logs | Up to 12 months, longer if required to investigate an incident |
After these periods, personal data is deleted or irreversibly anonymized, unless we are required to keep it for a defined legal purpose (for example an open tax audit or a live legal claim), in which case we isolate and restrict access.
8. Your rights
Section titled “8. Your rights”Subject to applicable law, you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate or incomplete data.
- Erasure (“right to be forgotten”), subject to our legal retention obligations.
- Restrict or object to certain processing, in particular where we rely on legitimate interests (Section 3, rows 1, 3, 4, 6, 7, 8).
- Withdraw consent at any time, where we rely on consent. Withdrawal does not affect processing already carried out lawfully.
- Data portability — receive the data you provided in a structured, commonly used, machine-readable format and ask us to transmit it to another controller where technically feasible.
- Lodge a complaint with a supervisory authority in the EEA / UK / your jurisdiction, for example the Irish Data Protection Commission (EEA one-stop-shop), the UK ICO, the French CNIL, the German BfDI or the relevant Länder DPA, Spain’s AEPD, Brazil’s ANPD, Switzerland’s FDPIC, Canada’s OPC, Japan’s PPC, or another competent authority.
California (CCPA / CPRA) residents additionally have the right to know, delete, correct, limit the use of sensitive personal information (we do not collect any), and opt out of “sale” or “sharing” of personal information (we do neither). Brazil (LGPD) residents have equivalent rights through the DPO contact below. We do not charge a fee for exercising your rights and we do not retaliate against you for doing so.
To exercise a right, email partners@bookora.me and include enough detail for us to find the record (for example your application reference code). We will answer within the statutory deadline — typically one month under GDPR, forty-five days under CCPA / CPRA, and fifteen days under LGPD — and we may extend when the request is complex, telling you why.
9. Cookies and similar technologies
Section titled “9. Cookies and similar technologies”Our use of cookies, local storage, and similar technologies on the partner site is described in the separate Cookie Policy and surfaced to you through our first-visit cookie banner. Only strictly-necessary technologies are loaded before you make a choice.
10. Security
Section titled “10. Security”We protect personal data with administrative, technical, and physical safeguards appropriate to the risk — including TLS in transit, encryption at rest, scoped access controls, audit logging, and a documented incident-response process. No system is perfectly secure; if we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent authority and, where required, you, within the statutory timelines.
11. Children
Section titled “11. Children”The Program is not directed at children. We do not knowingly collect personal data from anyone under 18. If you believe a minor has submitted an application, contact partners@bookora.me and we will delete the record.
12. Changes to this Addendum
Section titled “12. Changes to this Addendum”We may update this Addendum from time to time. Material changes will be notified by email or in the partner portal at least fourteen (14) days before they take effect, or longer where required. Non-material updates (clarifications, typos, reformatting) are effective on publication. The “Last updated” date at the top reflects the current version.
13. How to contact us
Section titled “13. How to contact us”- All partner privacy, legal, and operations requests: partners@bookora.me
If the operating Bookora entity is required under Article 27 GDPR to appoint an EU or UK representative, we will publish their contact details here once appointed. Until then, all data-protection requests can be addressed to partners@bookora.me and will be routed appropriately.