Legal

Privacy policy

Last updated: June 10, 2026

What MiddleMan does

MiddleMan helps sellers and affiliates agree commission terms, create referral links, and attribute eligible purchases to those referrals.

Information we process

We process account details supplied by MiddleMan users, partnership terms, referral-link activity, conversion references, order values, timestamps, and commission calculations. Referral requests can include an IP address and browser user-agent for security and operational records.

If you join a MiddleMan beta or launch waitlist, we process your email address, consent timestamp, referral source, and advertising campaign parameters so we can provide requested product updates and understand which campaigns generate interest.

The Shopify integration does not request customer names, email addresses, phone numbers, physical addresses, payment details, or Shopify customer profiles.

Shopify attribution

When permitted by the visitor's consent settings, MiddleMan stores a random referral token and its expiry time in first-party browser storage. The Shopify Web Pixel sends that token, an order reference, and the order value to MiddleMan when checkout completes. Attribution storage expires at the cookie-window date agreed by the seller and affiliate.

How we use information

We use information to operate referral attribution, calculate commissions, provide reporting, prevent duplicate conversion records, maintain security, and support users.

Sharing

Partnership and performance information is shared only with the seller, affiliate, and authorized MiddleMan administrators involved in that relationship. We do not sell customer data.

Retention and deletion

The live referral token, IP address, and browser user-agent are deleted or anonymized when the seller and affiliate's agreed attribution window expires. After that point, the token can no longer be used to attribute a conversion. Unconverted click records are retained for no more than 24 months for aggregate reporting and abuse prevention.

Incomplete Shopify installation credentials are deleted after one hour. Shopify access tokens are erased immediately when the app is uninstalled, and residual disconnected-install metadata is deleted within 30 days. Conversion, commission, and associated transaction records are retained for no more than seven years where needed for accounting, disputes, fraud prevention, and legal obligations. Account and agreement records are kept while the account is active and afterward only for an applicable legal or dispute period. Beta waitlist details are kept until the beta and launch communications are complete, or until you unsubscribe or ask us to delete them.

Security

MiddleMan encrypts data in transit using HTTPS and encrypted private service networking. Production data is stored on infrastructure with encryption at rest. Access is restricted to authorized systems and administrators, passwords are stored as cryptographic hashes, and commerce-platform credentials are removed when they are no longer required.

Your choices and rights

Store visitors can use the seller's Shopify cookie controls, clear browser site data, or avoid referral tracking. MiddleMan users can request access, correction, or deletion of their account information by contacting us.

Contact

Privacy and data requests: partners@middleman-platform.com