Joint Controller Summary — How Your Referral-Source Identification Is Used

For PostalDataPI customers. Plain-language summary of the GDPR Article 26 joint-controller arrangement between PostalDataPI and partners in our referral program.

When you sign up for PostalDataPI and tell us who referred you (via the "Who referred you?" field at signup, or by a later email), PostalDataPI and that referring partner become joint controllers of your identification, for the specific purpose of establishing that you were referred by them.

What this means

  • What we share with the partner. The date of your signup and a claim reference — enough for the partner to confirm they referred you. We do not share your email, billing information, usage patterns, or account activity with the partner through this mechanism.
  • Why. Both PostalDataPI and the partner have a legitimate interest in accurate attribution: we need to pay partners correctly, and the partner needs to confirm the referral relationship. You can read more about this legitimate-interest basis in our Privacy Policy.
  • Your choice. Your identification of the partner is voluntary. You can decline to identify anyone at signup, and no pressure is placed on you.
  • Your rights. You have the full set of GDPR rights (access, rectification, erasure, restriction, portability, objection) and UK GDPR / Swiss FADP / applicable US state equivalents over this data. Under GDPR Article 26(3), you may exercise these rights against either PostalDataPI or the partner, and we will coordinate our response. PostalDataPI is your primary contact.
  • Your primary contact. privacy@postaldatapi.com. We acknowledge within 5 business days and respond substantively within one month (extendable by two months for complex requests).

Responsibility allocation between PostalDataPI and partner

PostalDataPI is responsible for:

  • Maintaining the secure system
  • Coordinating data subject rights requests
  • Notifying data subjects of breaches
  • Overall compliance coordination
  • Publishing this joint-controller summary in accessible form
  • Informing data subjects at the moment of identification

The partner is responsible for:

  • Keeping any attribution records they receive confidential (per Partner Agreement Section 9.4)
  • Not further disclosing your identification without a lawful basis
  • Complying with data subject rights requests that reach them directly

Complaint paths

  • EEA data subjects: supervisory authority of your habitual residence, or the Irish Data Protection Commission as default for cross-border matters.
  • UK data subjects: UK Information Commissioner's Office at ico.org.uk/make-a-complaint.
  • Swiss data subjects: Swiss Federal Data Protection and Information Commissioner at edoeb.admin.ch.

This summary is a plain-language version of the joint-controller arrangement between PostalDataPI and partners, prepared in satisfaction of GDPR Article 26(2). The full arrangement is described in the Partner Data Protection Addendum (Section 2.3 and Appendix D).

Questions: privacy@postaldatapi.com.

Joint Controller Summary | PostalDataPI