FURYFINDERS — PRIVACY POLICY

Last revised: June 2026

Current version: https://furyfinders.com/privacy-policy

This Privacy Policy complies with EU Regulation 2016/679 (GDPR) and Cyprus Law 125(I)/2018 on the Protection of Personal Data.

This Privacy Policy ("Policy") explains how Brandnest Limited, trading as FuryFinders ("we", "us", "our"), collects, uses, stores, shares, and protects personal data of all persons interacting with our services.

This Policy applies to:

• The FuryFinders website at https://furyfinders.com — a static informational website;
• The FuryFinders affiliate management platform at https://my.furyfinders.com (powered by Affise) — where partner registration and campaign management occur;
• All Partners — Affiliates, Webmasters, Advertisers, and Resell Network Partners — registered in or applying to the Affiliate Network;
• Visitors to our website who have not registered.

This Policy should be read alongside the FuryFinders Terms and Conditions at https://furyfinders.com/partner-agreement.

By registering on the Affiliate Platform or continuing to use our website, you acknowledge that you have read and understood this Policy. If you do not agree, you are not authorised to register for or maintain an Account.

The data controller is Brandnest Limited, a private limited company incorporated under the laws of the Republic of Cyprus, registered at Theokritou 5, 2006 Strovolos, Nicosia, Cyprus, registry code ΗΕ465679.

For all privacy enquiries and data subject requests: [email protected]

Our lead supervisory authority is the Commissioner for Personal Data Protection of the Republic of Cyprus (www.dataprotection.gov.cy). You have the right to lodge a complaint with this authority at any time.

The FuryFinders website is a standard HTML informational website. It does not include registration forms, login areas, or active data collection mechanisms.

What we collect on the website:

• Session cookies strictly necessary for the website to function (see Section 7).
• Standard server log data: IP address, browser type, pages visited, referral source, timestamps. This data is held for 30 days and is used solely for security and performance monitoring.

We do not collect names, email addresses, or any other personally identifiable information through the main website.

When you register for or use the Affiliate Platform, we collect the following:

Identity and contact data

• Full legal name (individuals) or company name, registered address, and registration number (legal entities)
• Email address, telephone number, job title
• Government-issued identity documents and corporate structure documents where KYC/AML compliance requires it

Financial and payment data

• Bank account details: account number, IBAN, SWIFT/BIC, bank name and address
• Electronic wallet identifiers (Skrill, Neteller, cryptocurrency wallet addresses)
• Tax identification numbers and VAT numbers where required by law
• Masked payment credentials retained through third-party payment processors

Account and activity data

• Username and hashed password
• Traffic source descriptions and URLs submitted at registration
• Campaign statistics: clicks, conversions, leads, commissions earned
• Offer acceptance history and communication records
• IP address at registration and login; device identifiers; browser type and version

We do not intentionally collect personally identifiable information about the end-users who click on affiliate links. We collect pseudonymous tracking data strictly for traffic attribution and fraud prevention:

• Anonymous click identifiers (sub-IDs) and conversion timestamps
• Pseudonymised IP address hashes and device fingerprint data
• Click and conversion metadata used solely for commission calculation

We process personal data only where we have a valid legal basis:

Contract Performance — Art. 6(1)(b)

Account registration and management; commission calculation and payment processing; offer delivery and tracking.

Legal Obligation — Art. 6(1)(c)

KYC/AML compliance; tax and accounting records; responses to court orders and regulatory requests.

Legitimate Interests — Art. 6(1)(f)

Fraud detection and prevention; platform security; enforcing Terms and Conditions; dispute resolution; non-marketing communications; server log analysis.

Consent — Art. 6(1)(a)

Sending marketing newsletters and promotional emails where you have opted in. Consent may be withdrawn at any time without affecting prior processing.

• Creating, maintaining, and managing your Account and Affiliate Network participation.
• Verifying your identity and business details for KYC/AML compliance.
• Tracking traffic, conversions, and Qualified Actions for commission calculation.
• Processing and remitting commission payments; generating invoices and financial records.
• Communicating with you about your Account, Offers, technical issues, and platform updates.

• Complying with applicable laws and regulatory guidance.
• Responding to court orders, subpoenas, or regulatory requests.
• Investigating and preventing fraud, abuse, and money laundering.
• Enforcing our Terms and Conditions.

• Sending newsletters and promotional materials where you have opted in.
• To opt out at any time: click "Unsubscribe" in any email or write to [email protected]. Withdrawal does not affect prior processing.

We do not sell or trade personal data. We do not make decisions with significant legal effects based solely on automated processing without human review.

We do not sell, rent, or trade your personal data. We may share your data in the following circumstances:

Service providers and processors

We engage third-party processors acting under data processing agreements, including: Affise Technologies Ltd (affiliate management platform), payment processors and banking partners, cloud hosting providers (servers in the EEA), email delivery providers, fraud detection services, legal and compliance advisors.

Advertisers

We may share limited Partner data with Advertisers to verify traffic quality or resolve disputes. Sensitive financial information is not shared without explicit consent.

Legal and regulatory disclosure

We may disclose data as required by law, to regulatory authorities on valid request, to enforce our legal rights, or to prevent fraud and money laundering.

Business transfers

In a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity subject to equivalent protections. Affected Partners will be notified.

The FuryFinders website uses only strictly necessary cookies required for the website to function. These cookies do not collect personal data and do not require consent under GDPR. The cookie banner on our website ("We use cookies — OK") reflects this: by using the website you acknowledge the use of strictly necessary cookies only.

We do not use analytics, marketing, or tracking cookies on the main website.

The Affise platform uses cookies necessary for platform operation, including:

• Session authentication cookies (strictly necessary — no consent required)
• Affiliate tracking cookies: affise_sid and affise_click_id (90-day duration, contractually necessary for commission attribution — no consent required)
• Performance analytics cookies: used to monitor platform performance (consent required where applicable)

Strictly necessary cookies cannot be disabled as they are required for platform functionality. For any optional cookies, you may manage preferences through your browser settings. Instructions available at www.allaboutcookies.org

We store your data on servers located in the European Economic Area (EEA). Where we engage service providers outside the EEA, we use Standard Contractual Clauses (SCCs) adopted by the European Commission, or equivalent safeguards. For Affise's infrastructure, we rely on SCCs and Affise's Data Processing Agreement.

By registering with us, you acknowledge that your data may be transferred internationally subject to the protections set out in this Policy.

We retain personal data only as long as necessary for the purposes for which it was collected and in accordance with our legal obligations. We do not retain data indefinitely.

Upon expiry of the applicable retention period, data is securely deleted or irreversibly anonymised.

As a data subject under the GDPR, you have the following rights. We will respond to valid requests within 30 days. Complex requests may take up to 90 days; we will notify you of any extension within the initial 30 days.

10.1 Right of Access (Art. 15)

You may request confirmation of whether we process your personal data and, if so, receive a copy of that data.

10.2 Right to Rectification (Art. 16)

You may request correction of inaccurate or incomplete data. You may also update most data directly in your Account.

10.3 Right to Erasure (Art. 17)

You may request deletion of your data where it is no longer necessary, you withdraw consent, or it has been unlawfully processed. This right does not apply where retention is required by law or to protect legal claims.

10.4 Right to Restriction of Processing (Art. 18)

You may request that we restrict processing of your data in certain circumstances.

10.5 Right to Data Portability (Art. 20)

Where processing is based on consent or contract and is automated, you may request your data in a structured, machine-readable format.

10.6 Right to Object (Art. 21)

You may object to processing based on our legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.

10.7 Automated Decision-Making (Art. 22)

We do not make decisions with significant legal effects based solely on automated processing. Where automated systems flag accounts for fraud, you may request human review.

How to exercise your rights:

Submit a written request to: [email protected]. Include your full name, Account username or email, and the right you are exercising. We may verify your identity before processing. No fee is charged for reasonable requests.

Right to lodge a complaint:

You may lodge a complaint with the Commissioner for Personal Data Protection of Cyprus (www.dataprotection.gov.cy) or any competent EU supervisory authority.

We implement the following measures to protect your personal data:

• SSL/TLS encryption for all data in transit.
• AES-256 encryption at rest for sensitive financial data and payment credentials.
• Role-based access control: only authorised personnel with a legitimate need may access personal data.
• Multi-factor authentication (MFA) mandatory for all administrative platform access.
• Regular security assessments and vulnerability monitoring.
• Audit logging of all internal access to personal data.
• Mandatory data protection awareness for all staff with access to personal data.

Despite these measures, no internet transmission is 100% secure. You transmit data at your own risk. Notify us immediately at [email protected] if you suspect any unauthorised access to your Account.

In the event of a personal data breach likely to result in high risk to your rights, we will notify you and the supervisory authority within 72 hours of becoming aware, in accordance with GDPR Articles 33 and 34.

The Affiliate Network is exclusively for adults aged 18 and over. We do not knowingly collect or process personal data of anyone under 18 years of age.

If you believe a minor has provided us with personal data, contact us immediately at [email protected]. We will delete such data without undue delay upon confirmation.

By registering, you warrant that you are at least 18 years of age.

Where a Partner is a legal entity, acceptance of this Policy extends to all employees, contractors, and authorised users accessing the Affiliate Platform on its behalf. The Partner is responsible for informing all such individuals of this Policy.

Partners must not permit any person under 18 years of age to access their Account.

Our website and platform may link to third-party websites, advertiser landing pages, or third-party services. We are not responsible for their privacy practices. Please review their individual privacy policies before submitting personal data. This Policy applies solely to data collected by us through the FuryFinders website and platform.

Where we send commercial or marketing emails, we comply with applicable anti-spam legislation, including GDPR consent requirements.

• We collect your email address to send Account-related information and, where you have opted in, promotional materials.
• All marketing emails include a clear unsubscribe link. You may also opt out by contacting us at [email protected]
• Transactional Account emails (payment notifications, security alerts) continue after opt-out as they are necessary for your Account.
• We will not use false or misleading subject lines or sender addresses.

We may modify this Policy at any time. We will notify Partners of material changes by posting a prominent notice on the website and platform, and by sending an email notification to registered Partners' email addresses on file.

Changes take effect 5 (five) business days after notification. Continued use of the Affiliate Network after the effective date constitutes acceptance of the revised Policy. Please check this page periodically for updates.

In the event of a personal data breach:

• We will notify the Commissioner for Personal Data Protection within 72 hours of becoming aware of the breach (GDPR Art. 33).
• Where the breach is likely to result in high risk to affected individuals, we will notify those individuals without undue delay via email and, where appropriate, in-platform notification (GDPR Art. 34).
• We maintain a record of all data breaches, including those not required to be notified to the supervisory authority.

We aim to respond to all requests within 30 days. Where we cannot fully comply, we will explain the reasons in writing.