Legal

Privacy Policy

This policy explains how Allocora handles personal data when you use the website, application, APIs, billing flows, integrations, support channels, and related services.

Last updated: May 24, 2026 Data Controller: Allocora

1. Scope

Allocora ("we", "our", "us") provides self-serve revenue allocation, commission, royalty, seller-payout, statement, export, and audit workflow software. This Privacy Policy applies to visitors, account users, workspace members, API users, support contacts, and people whose details are uploaded or processed inside a customer workspace.

Customers are responsible for making sure they have the right to upload revenue records, payee details, partner data, statement recipients, and integration data into Allocora. Where we process that workspace data on a customer's behalf, we act as a processor or service provider under applicable privacy laws.

2. Data We Collect

Account and workspace data

  • Name, email address, password or authentication method, and account settings.
  • Organization, workspace, role, permissions, onboarding choices, and plan information.
  • Support messages, contact form submissions, and security or billing requests.

Workspace content

  • Revenue rows, products, payees, rules, calculation runs, audit logs, exports, and statement files.
  • Payee names, email addresses, statement recipients, payout references, product identifiers, metadata, and uploaded files.
  • API keys, key prefixes, integration settings, and encrypted restricted integration tokens where you choose to connect a provider such as Stripe.

Billing and payment data

  • Subscription plan, checkout status, transaction identifiers, customer identifiers, invoices, and tax or billing metadata returned by billing providers.
  • Payment card details are handled by our payment processor. Allocora does not store full card numbers.

Technical and usage data

  • IP address, browser, device, approximate location, request logs, security events, error reports, and feature usage.
  • Cookies, analytics events, Google authentication data where used, and similar technologies needed to operate, secure, and improve the service.

3. How We Use Data

  • Provide, secure, maintain, and improve Allocora.
  • Create accounts, authenticate users, manage workspace roles, and prevent misuse.
  • Import revenue data, apply payout rules, run calculations, generate statements, create exports, and maintain audit trails.
  • Process subscriptions, invoices, plan changes, cancellation, refunds, and tax or compliance requirements.
  • Respond to support, billing, security, data rights, and product questions by email.
  • Monitor performance, diagnose errors, protect against abuse, and preserve service reliability.
  • Comply with legal obligations and enforce our Terms of Use.

4. Legal Bases Under GDPR

Where the GDPR applies, we process personal data using one or more of these legal bases:

  • Contract: to provide the services you request, including accounts, calculations, integrations, billing, support, and exports.
  • Legitimate interests: to secure the service, prevent abuse, improve product quality, diagnose issues, and communicate about service matters.
  • Legal obligation: to keep billing, tax, accounting, security, and compliance records where required.
  • Consent: where a specific optional use requires consent, such as non-essential cookies or marketing communications.

5. Cookies and Tracking

We use cookies and similar technologies for login sessions, security, preferences, analytics, checkout, and product reliability. Some cookies are necessary for the service to work. Optional analytics or advertising-related cookies, if used, are managed according to applicable consent requirements.

You can control cookies through your browser settings. Blocking some cookies may affect login, checkout, security, or workspace functionality.

6. Service Providers

We use service providers to host, secure, monitor, analyze, authenticate, bill, and support Allocora. These providers may process personal data only as needed to provide their services to us.

  • Payments and subscriptions: Paddle and related billing infrastructure.
  • Authentication: Google OAuth, when you choose Google sign-in.
  • Analytics and tag management: Google Analytics and Google Tag Manager, where enabled.
  • Error monitoring and security: operational providers used to detect incidents, diagnose failures, and protect the service.
  • Integrations: Stripe or other providers you choose to connect to your workspace.

We do not sell personal data.

7. International Transfers

Allocora may use providers or infrastructure located outside your country. Where personal data is transferred outside the European Economic Area, we rely on adequacy decisions, Standard Contractual Clauses, transfer impact assessments, or other lawful transfer mechanisms required by GDPR.

8. Retention

We retain personal data only for as long as needed for the purposes described in this policy, including service delivery, security, billing, legal compliance, dispute resolution, and backups.

  • Account and workspace data is generally retained while the workspace remains active.
  • Billing, invoice, tax, and accounting records may be retained for the period required by law.
  • Security, audit, and diagnostic logs are kept for a limited period unless needed to investigate abuse, fraud, incidents, or legal claims.
  • Deleted files and workspace records may remain in backups or deferred deletion systems for a limited period before permanent removal.

9. Security

We use technical and organizational measures designed to protect personal data, including access controls, encrypted storage for sensitive integration tokens, hashed API key storage, HTTPS, audit logging, and operational monitoring. No internet service can be guaranteed to be completely secure.

10. Your Rights

Depending on your location, you may have rights to access, correct, delete, restrict, object to, or port personal data, withdraw consent, opt out of certain processing, and lodge a complaint with a supervisory authority.

To exercise your rights, email [email protected] with the subject line "Privacy Request". We may need to verify your identity and workspace relationship before acting on the request.

11. US State Privacy Rights

Residents of California and certain other US states may have additional rights to know, access, correct, delete, or obtain a portable copy of personal information, and to opt out of sale, sharing, targeted advertising, or profiling where applicable. Allocora does not sell personal information. If we use processing that is treated as targeted advertising or sharing under applicable law, we will provide the required opt-out mechanism.

12. Data Deletion Requests

  1. Email [email protected] with the subject line "Data Deletion Request".
  2. Include the email address associated with the account, workspace name if known, and a description of the data you want deleted.
  3. We will verify the request, confirm receipt, and process deletion within the timeframe required by applicable law.

Some data may be retained where required for legal, tax, accounting, security, fraud prevention, dispute, or backup reasons.

13. Children

Allocora is not intended for children under 18. We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us so we can take appropriate action.

14. Changes

We may update this Privacy Policy as the service, providers, laws, or practices change. Material updates will be posted on this page with a new last updated date.

15. Contact

Questions about this Privacy Policy or privacy rights can be sent to [email protected].