Privacy Policy
1. Introduction
This Privacy Policy explains how Lead Media AS ("we", "us", "our"), a Norwegian company, collects, uses, and protects information through the ReferralPages platform at referralpages.app.
This policy applies to all users of the platform, including business owners who create referral pages ("tenants") and individuals who submit or are the subject of referrals ("referrers" and "referral leads"). By using ReferralPages, you agree to the practices described here.
2. Data We Collect
From referrers (people submitting referrals)
- Required: Referrer's name, email address, and phone number.
- About the referred person: Name and phone number (required); email, address, relationship to referrer, and notes (optional, depending on the tenant's form configuration).
From tenants (business owners)
- Email address (used for magic-link authentication and notifications).
- Business name, phone number, address, and website URL.
- Brand assets: logo, colors, fonts, social media links.
- Referral program configuration: reward tiers, notification preferences, custom domain settings.
- Payment information (processed by Stripe; we do not store card numbers).
From website scraping
When a tenant submits a website URL, we automatically scrape publicly available information from that site, including: business name, phone number, address, brand colors, images, and social media links. This data is used to build the tenant's referral page.
Automatically collected
- IP address — used for bot protection (via Cloudflare Turnstile) and security logging.
- Browser type and device information — included in standard HTTP request headers.
- Session cookies — see Section 4 below.
- Cloudflare Web Analytics — privacy-first, cookieless analytics that do not track individual users.
3. How We Use Data
We use the data we collect to:
- Render and operate referral pages for tenants.
- Process referral form submissions and deliver them to the appropriate tenant.
- Send notifications to tenants about new referrals (via email and, for Pro tenants, SMS).
- Authenticate tenants and admin users via magic links and session cookies.
- Prevent fraud, abuse, and bot submissions.
- Process payments for Pro subscriptions.
- Generate referral statistics and reports for tenants.
- Improve the reliability, security, and performance of the platform.
4. Cookies
ReferralPages uses session cookies only. We do not use advertising, tracking, or third-party marketing cookies.
| Cookie | Purpose | Attributes |
|---|---|---|
__tenant_session |
Authenticates tenant dashboard sessions | HttpOnly, Secure, SameSite=Strict |
__admin_session |
Authenticates admin panel sessions | HttpOnly, Secure, SameSite=Strict |
__edit_session |
Authenticates page editing sessions | HttpOnly, Secure, SameSite=Strict |
Additionally, Cloudflare Turnstile may set a cookie as part of its bot protection challenge. Cloudflare Web Analytics uses a lightweight JavaScript beacon and does not set cookies.
5. Third-Party Service Providers
We share data with the following service providers, solely to operate the platform:
| Provider | Purpose | Data shared |
|---|---|---|
| Cloudflare | Hosting, CDN, database (D1), object storage (R2), bot protection (Turnstile), web analytics | All platform data is processed on Cloudflare infrastructure; Turnstile receives IP address and browser signals |
| Stripe | Payment processing for Pro subscriptions | Tenant name, email, and payment information |
| Twilio | SMS delivery for Pro tenant notifications | Tenant phone number, referral notification content |
| Resend | Email delivery for notifications and magic-link authentication | Email addresses and notification/authentication content |
| Google Fonts | Font files for referral page rendering | No personally identifiable information; standard HTTP request headers only |
Each provider operates under its own privacy policy. We recommend reviewing their policies for details on how they handle data.
6. Data Sharing
We do not sell personal data. We share data only in the following circumstances:
- With service providers listed in Section 5, strictly to operate the platform.
- With tenants. Referral submissions are shared with the tenant whose referral page received the submission. Tenants are responsible for how they use referral data they receive.
- As required by law. We may disclose data if required by a valid legal process, court order, or government request.
- To protect rights. We may share data to enforce our Terms of Service, protect the security of the platform, or protect the rights, property, or safety of our users or the public.
7. Data Retention
- Referral data is retained for as long as the tenant's account is active.
- After account termination, data is retained for up to 90 days to allow for export requests, then permanently deleted.
- Session cookies expire according to their configured timeouts (typically hours to days).
- Magic-link tokens expire 24 hours after issuance and are single-use.
- You may request immediate deletion at any time by emailing privacy@referralpages.app.
8. Data Security
We implement technical and organizational measures to protect your data, including:
- HTTPS encryption for all data in transit.
- HMAC-signed session cookies to prevent tampering.
- Content Security Policy (CSP) headers to prevent cross-site scripting.
- SSRF protection on server-side requests.
- CSRF token validation on all state-changing API requests.
- No plaintext storage of secrets or credentials.
While we take reasonable precautions, no system is completely secure. We cannot guarantee absolute security of your data.
9. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access — Request a copy of the data we hold about you.
- Correction — Request that we correct inaccurate data.
- Deletion — Request that we delete your personal data.
- Data portability — Export your referral data as CSV from your tenant dashboard, or request an export via email.
- Objection — Object to certain processing of your data.
To exercise any of these rights, email privacy@referralpages.app. We will respond within 30 days.
10. CCPA Notice (California Residents)
If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with specific rights:
- Right to know — You may request details about the categories and specific pieces of personal information we have collected about you.
- Right to delete — You may request deletion of your personal information, subject to certain exceptions.
- Right to opt out of sale — We do not sell personal information. There is nothing to opt out of.
- Non-discrimination — We will not discriminate against you for exercising your CCPA rights.
Categories of personal information collected: Identifiers (name, email, phone, IP address), commercial information (subscription records), internet activity (browser type, pages visited), and professional information (business name, address).
We do not offer financial incentives in exchange for personal information.
11. Children's Privacy
ReferralPages is not directed at children under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will delete it promptly. If you believe a child has submitted data through the platform, please contact us at privacy@referralpages.app.
12. International Transfers
ReferralPages is operated by Lead Media AS, a Norwegian company. Data is processed on Cloudflare's global network, which includes servers in multiple countries. Our payment (Stripe), SMS (Twilio), and email (Resend) providers are US-based companies.
If you are located in the European Economic Area (EEA), your data may be transferred to and processed in countries outside the EEA. We rely on our service providers' data protection mechanisms (such as Standard Contractual Clauses) to ensure adequate protection.
13. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. For material changes, we will notify you via email or a prominent notice on the platform at least 30 days before the changes take effect.
14. Contact
For privacy questions or to exercise your data rights, contact us at:
Lead Media AS
Norway