adryse.
Early access
!
Draft — pending legal review. This document has not yet been reviewed by Swedish commercial counsel. It is shown here for feedback and reference only and must not be relied on as a binding legal instrument until it is moved out of draft status. Email [email protected] with review feedback.

Publisher Data Processing Agreement

Version 2026-04 (draft 1) · Last updated 9 April 2026 · Exhibit 1 to the Publisher Terms of Service

This Publisher Data Processing Agreement (“Exhibit 1”) forms an integral part of the Adryse Publisher Terms of Service and governs the processing of personal data belonging to publishers registering with, or participating in, the Adryse affiliate network. Adryse is operated by Idealy AB (org. nr 556880-7464), Saturnusvägen 70, 352 64 Växjö, Sweden.

1. Introduction and scope

This Exhibit governs the processing of personal data collected from publishers as part of joining and participating in Adryse: account creation, identity verification, tax reporting where applicable, and payout administration. It terminates automatically upon termination of the Publisher Terms of Service.

Click-level data generated when a visitor interacts with a tracking link is covered separately by the Data Transfer Agreement (Exhibit 2), where both Adryse and the publisher act as independent controllers. This Exhibit does not cover that flow.

2. Definitions

Personal data” has the meaning set out in Article 4(1) of the General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”).

Applicable Data Protection Law” means the GDPR and any national or international data protection legislation in force during the term of this Exhibit, including the Swedish Data Protection Act (dataskyddslagen, 2018:218).

Publisher”, “you”, and “your” refer to the natural or legal person who has registered an Adryse publisher account.

Adryse”, “we”, and “us” refer to Idealy AB, acting as controller of the personal data described in this Exhibit.

3. Personal data processed

For the purposes set out in Section 4, Adryse processes the following categories of personal data about publishers:

  • Name (individual or authorised signatory of a legal entity);
  • Email address;
  • Postal address and country, where the publisher has provided one for material legal notices;
  • Tax or personal identity number where required by applicable tax law in the publisher's jurisdiction;
  • Payout details routed through Stripe Connect Express — Adryse does not store bank account numbers or full card details; these are handled directly by Stripe under their own privacy and security standards;
  • Traffic source information the publisher has voluntarily supplied during onboarding (channel URLs, descriptions, prior affiliate history);
  • Authentication metadata such as session tokens, login timestamps, and IP addresses from which the publisher signs in (retained for security investigations only);
  • Support correspondence and any other information the publisher voluntarily submits to Adryse.

4. Purposes of processing

Personal data described in Section 3 is processed to:

  • Provide access to the Adryse platform and services;
  • Verify the identity of the publisher and meet applicable know-your-customer (KYC) and anti-money-laundering (AML) obligations;
  • Administer commission accrual, approval, and payout to the publisher;
  • Issue self-invoices, tax statements, and any other documents required by applicable tax law;
  • Meet Adryse's legal obligations, including bookkeeping retention requirements under Swedish law;
  • Internal analytics and service improvement, limited to data strictly necessary for the purpose and never sold or shared for advertising;
  • Fraud detection, security monitoring, and incident response relating to the publisher's account.

5. Lawful basis

Adryse relies on the following lawful bases under Article 6 GDPR for the processing described in Section 4:

  • Performance of a contract (Article 6(1)(b)) — most publisher data is processed to fulfil the Publisher Terms of Service and to pay the publisher.
  • Legal obligation (Article 6(1)(c)) — where processing is required by tax, accounting, or AML law.
  • Legitimate interest (Article 6(1)(f)) — for fraud detection, security, and service improvement, where Adryse's interest is not overridden by the publisher's fundamental rights and freedoms.

6. Sub-processors

Adryse relies on a small, fixed list of sub-processors to deliver the service. Current sub-processors are listed in the Privacy Policy and include, at minimum:

  • Cloudflare Inc. (United States) — edge network, DDoS protection, and Workers runtime hosting the tracker. Data processed at the Cloudflare edge is limited to request metadata required to route the request. Cloudflare is bound by the EU Standard Contractual Clauses.
  • Neon Inc. (hosted in the EU, eu-central-1) — managed Postgres database. All publisher records and click records are stored here.
  • Stripe Payments Europe Ltd. (Ireland) — Stripe Connect Express handles KYC, tax forms, and payout disbursement on Adryse's behalf.
  • Postmark (ActiveCampaign LLC) — transactional email delivery for magic-link authentication, payout notifications, and dispute correspondence.

Adryse will notify the publisher in writing at least 30 days before adding or replacing any sub-processor that has material access to publisher personal data. The publisher may object on reasonable grounds; if the objection cannot be resolved, the publisher may terminate the Publisher Terms of Service without penalty.

7. International data transfers

Personal data is primarily stored in the European Economic Area (EEA). Where a sub-processor transfers personal data outside the EEA, Adryse relies on the European Commission's Standard Contractual Clauses (2021/914) or an applicable adequacy decision to safeguard the transfer. The current transfer map is maintained in the Privacy Policy.

8. Retention

Personal data is retained only as long as necessary for the purposes described in Section 4, subject to mandatory retention periods under applicable law:

  • Account, KYC, and payout records are retained for the duration of the Publisher Terms of Service plus seven (7) years after account closure, to comply with Swedish bookkeeping law (bokföringslagen 1999:1078, 7 kap. 2 §).
  • Authentication logs (login IP addresses, session tokens) are retained for 90 days rolling, then automatically deleted.
  • Support correspondence is retained for 24 months after the most recent interaction.
  • Data required to defend legal claims is retained for the applicable statute of limitations period.

9. Publisher rights

Publishers may exercise the following rights under the GDPR, subject to the limitations set out in applicable law:

  • Right of access (Article 15);
  • Right to rectification (Article 16);
  • Right to erasure (Article 17);
  • Right to restriction of processing (Article 18);
  • Right to data portability (Article 20);
  • Right to object (Article 21);
  • Right to lodge a complaint with a supervisory authority (Article 77) — in Sweden, Integritetsskyddsmyndigheten (IMY).

Rights requests can be sent to [email protected]. Adryse will respond within one month of receipt, extendable by a further two months for complex requests with prior notice to the publisher.

10. Security measures

Adryse implements appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage, including:

  • TLS 1.2+ for all data in transit;
  • Encryption at rest on the underlying Neon database and Stripe sub-processor;
  • Role-based access control limiting administrative access to publisher data;
  • Automated audit logging of administrative actions on publisher records;
  • Regular security reviews and dependency updates;
  • Personal data breach response process with notification to the affected publisher and, where required, to the competent supervisory authority within 72 hours of becoming aware of the breach.

11. Amendments

Adryse may amend this Exhibit from time to time, including where necessary to reflect changes in Applicable Data Protection Law, sub-processors, or the architecture of the service. Material amendments will be communicated to publishers at least 30 days before they take effect, via email to the address registered to the publisher's account and through in-platform notification.

12. Governing law and jurisdiction

This Exhibit is governed by Swedish substantive law. Disputes arising from or in connection with this Exhibit fall within the exclusive jurisdiction of Växjö tingsrätt as the court of first instance, subject to any mandatory consumer protection jurisdictions available to natural-person publishers under Applicable Data Protection Law.

13. Contact

Questions about this Exhibit or about Adryse's processing of publisher personal data can be sent to:

Idealy AB
Saturnusvägen 70
352 64 Växjö
Sweden

[email protected]