Privacy Policy
Last updated: 20 March 2026
1. Who we are
DontPayFull.com is a coupon codes and deals comparison website operated by:
DontPayFull SRL
Str. Zece Mese nr. 9, Ap. 1
024061 Bucharest, Romania
Company registration: J40/14765/2015
CUI: RO35294618
US correspondence: 440 N Barranca Ave #2277, Covina, CA 91723
DontPayFull SRL is the data controller for personal data processed through DontPayFull.com within the meaning of Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR").
Privacy contact: [email protected]
General contact: [email protected]
2. What data we collect and why
We collect and process personal data only for specified, explicit, and legitimate purposes. The table below sets out each category of data, the purpose, the legal basis under the GDPR, and how long we keep it.
| Category | Data collected | Purpose | Legal basis | Retention |
|---|---|---|---|---|
| A. Account / registration data (optional) | Email address, display name, country of residence, date of birth (for age verification), gender (optional field) | Creating and maintaining a user account; personalising deal alerts; verifying minimum age | Art. 6(1)(b) GDPR - performance of contract | For the duration of the account, plus 30 days after deletion request |
| B. Usage / analytics data | Pages visited, clicks, session duration, traffic source, city and country derived from IP address (IP address is truncated before storage and not retained in full), browser type, operating system | Statistical traffic analysis via Google Analytics 4 to understand how visitors use the site and to improve content and performance | Art. 6(1)(f) GDPR - legitimate interest (website analytics and improvement) | 26 months (GA4 maximum retention configuration) |
| C. Advertising / marketing data | Behavioural data processed via Meta Pixel (anonymised event data) | Advertising measurement and personalised advertising; revenue from display ads that allows us to provide a free service | Art. 6(1)(a) GDPR - consent (via cookie banner; you can withdraw at any time) | 90 days |
| D. Cookie consent records | Your consent choices (accepted/rejected categories), timestamp of consent, consent version | Demonstrating compliance with GDPR consent requirements | Art. 6(1)(c) GDPR - legal obligation (Art. 7(1) GDPR accountability) | 13 months |
| E. Server / hosting logs | IP address (not stored in full after processing), user-agent string, HTTP request timestamps, response codes | Server security monitoring, fault diagnosis, and DDoS detection on Hetzner infrastructure | Art. 6(1)(f) GDPR - legitimate interest (IT security) | 30 days |
| F. CDN / network logs | IP address and request metadata processed in transit by Cloudflare for DDoS protection and Web Application Firewall (WAF) | Protecting the website and its users from malicious traffic and attacks | Art. 6(1)(f) GDPR - legitimate interest (IT security) | Up to 30 days (Cloudflare standard) |
| G. Customer support communications | Email address, content of your support request or complaint, ticket history | Responding to your enquiries and resolving support issues via Freshdesk | Art. 6(1)(f) GDPR - legitimate interest (customer service) | 2 years after ticket resolution |
| H. Price alerts / push notifications (optional) | Email address | Sending you price drop alerts and deal notifications that you have explicitly requested | Art. 6(1)(a) GDPR - consent (you can withdraw at any time by unsubscribing) | Until you unsubscribe |
| I. Affiliate click tracking | Redirect URL click data for commission attribution; DontPayFull does not store any personally identifiable information in relation to affiliate clicks | Tracking that a click originated from DontPayFull for the purpose of earning affiliate commission; this revenue allows us to provide a free service to users | Art. 6(1)(f) GDPR - legitimate interest (affiliate revenue) | Affiliate networks place their own cookies on merchant domains and act as independent controllers; please refer to their own privacy policies |
Legitimate interests assessment
Where we rely on Art. 6(1)(f) GDPR (legitimate interest), we have assessed that our interests do not override your fundamental rights and freedoms. Specifically:
- Analytics (Category B): We use IP anonymisation in Google Analytics 4 so that your full IP address is never stored. The interest is proportionate to the purpose of improving a free public service.
- Security logging (Categories E, F): Retaining short-term server and CDN logs is a standard and proportionate security measure. Logs are deleted within 30 days.
- Customer support (Category G): Retaining support tickets for 2 years allows us to handle follow-up questions and provides an audit trail for complaints.
- Affiliate tracking (Category I): No PII is stored by DontPayFull in connection with affiliate clicks. The interest is minimal and proportionate.
You have the right to object to processing based on legitimate interests at any time. See Section 6 for details.
Cookies
We use cookies and similar tracking technologies on DontPayFull.com. Strictly necessary cookies are placed automatically. All other cookies (analytics, advertising, and personalisation) are placed only after you give your consent via our cookie banner. You may change or withdraw your cookie preferences at any time by clicking the "Cookie Settings" link in the footer. For a full list of cookies we use, please see our Cookie Policy.
We do not rely on implied consent. Continued browsing of our website is not treated as consent to non-essential cookies.
3. Processors and recipients
We share your data only with the third-party service providers ("processors" or, where noted, "independent controllers") listed below. All processors are contractually bound under Art. 28 GDPR Data Processing Agreements and may only process your data on our documented instructions.
| Processor | Country | Purpose | Transfer mechanism | Further information |
|---|---|---|---|---|
| Google LLC | USA | Google Analytics 4 - anonymised traffic analytics. IP addresses are truncated before any data leaves the EU/EEA. | EU-US Data Privacy Framework (DPF adequacy decision, July 2023) | Google Privacy Policy | Analytics opt-out |
| Meta Platforms Inc. | USA | Meta Pixel - advertising measurement and conversion tracking. Active only with your explicit consent. | EU-US Data Privacy Framework (DPF adequacy decision, July 2023) | Meta Privacy Policy |
| Hetzner Online GmbH | Germany (EU) | Web hosting and server infrastructure for DontPayFull.com. | Intra-EU - no international transfer; Art. 28 GDPR DPA in place | Hetzner Privacy Policy |
| Cloudflare Inc. | USA | Content Delivery Network (CDN), DDoS protection, and Web Application Firewall (WAF). Cloudflare processes traffic data in transit to protect the website. | EU-US DPF + Standard Contractual Clauses (SCCs, EC Decision 2021/914) | Cloudflare Privacy Policy |
| Freshworks Inc. (Freshdesk) | USA | Customer support platform. Your support requests and correspondence are stored in Freshdesk. | Standard Contractual Clauses (SCCs, EC Decision 2021/914) | Freshworks Privacy Policy |
| Reddit Inc. | USA | Reddit Ads Pixel - advertising conversion tracking and audience measurement. Active only with Marketing cookie consent. | Standard Contractual Clauses (SCCs, EC Decision 2021/914) | Reddit Privacy Policy |
| Plausible Analytics (Plausible Insights OÜ) | Estonia (EU) | Privacy-friendly, cookieless website analytics. Plausible does NOT use cookies or collect personal identifiers. It processes aggregated, anonymised traffic data only (page views, referrers, browser type). No consent required under ePrivacy Directive. | Intra-EU - no international transfer; Art. 28 GDPR DPA in place | Plausible Privacy Policy |
| Affiliate networks (AWIN, Rakuten/LinkShare, CJ Affiliate, Tradedoubler, Impact, ShareASale, 2Performant, Amazon Associates, and others) | Various (EU and non-EU) | Commission attribution for affiliate referrals. When you click a deal link and visit a merchant site, the affiliate network may place its own cookies on that merchant's domain. | Each network applies its own transfer mechanism (adequacy decision, SCCs, or DPF as applicable) | Affiliate networks act as independent data controllers for data collected on merchant sites. Please refer to each network's own privacy policy for details. |
We do not sell your personal data to third parties. We do not share your personal data with any third party for their own marketing purposes without your explicit consent.
4. International transfers
Some of our processors are based in the United States or other countries outside the European Economic Area (EEA). We ensure that any transfer of personal data to a third country is made only where an adequate level of protection is guaranteed, using one or more of the following mechanisms:
EU-US Data Privacy Framework (DPF)
On 10 July 2023, the European Commission adopted an adequacy decision for the EU-US Data Privacy Framework (DPF). Processors certified under the DPF (currently Google LLC, Meta Platforms Inc.) may receive personal data from the EEA without additional transfer safeguards, because the DPF adequacy decision confirms an equivalent level of protection to that guaranteed within the EU.
Standard Contractual Clauses (SCCs)
Where a processor is not certified under the DPF, or as an additional transfer safeguard, we rely on the European Commission's Standard Contractual Clauses (EC Decision 2021/914 of 4 June 2021). SCCs are pre-approved model contractual provisions that legally bind the data importer (our processor) to provide an equivalent level of protection to EU data protection law. We have carried out a Transfer Impact Assessment (TIA) where required by the relevant supervisory authority guidance.
Intra-EU transfers
Data processed by Hetzner Online GmbH remains within the European Union. No international transfer safeguards are required for intra-EU transfers.
You may request a copy of the applicable transfer safeguards by writing to [email protected].
5. Retention periods summary
We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law. The table below summarises the retention periods for each data category.
| Data category | Retention period | Rationale |
|---|---|---|
| A. Account / registration data | Duration of account + 30 days post-deletion | Contract performance; 30-day grace period for account recovery |
| B. Usage / analytics data | 26 months | GA4 maximum; allows year-on-year trend comparison |
| C. Advertising / marketing data | 90 days | Consent-based; short retention minimises privacy risk |
| D. Cookie consent records | 13 months | Legal obligation to demonstrate valid consent; aligns with standard guidance on cookie renewal |
| E. Server / hosting logs | 30 days | IT security; short retention limits exposure |
| F. CDN / network logs (Cloudflare) | Up to 30 days | DDoS and WAF protection; Cloudflare standard retention |
| G. Customer support communications | 2 years after ticket resolution | Allows follow-up and provides audit trail for complaints |
| H. Price alerts / push notification tokens | Until unsubscription | Consent-based; deleted immediately upon withdrawal |
| I. Affiliate click tracking | No PII retained by DontPayFull | Affiliate networks retain data under their own policies as independent controllers |
When the applicable retention period expires, data is securely deleted or anonymised so that it can no longer be attributed to an identified or identifiable individual.
6. Your GDPR rights
Under the GDPR, you have the following rights in relation to your personal data. These rights apply from the date of this policy. You may exercise any of these rights free of charge by contacting us at [email protected]. We will respond within one calendar month of receiving your request (extendable by a further two months for complex or numerous requests, with notice).
| Right | What it means | How to exercise it |
|---|---|---|
| Right of access (Art. 15 GDPR) | You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data along with information about how we use it. | Email [email protected] with subject "SAR - Access Request" |
| Right to rectification (Art. 16 GDPR) | You have the right to have inaccurate personal data corrected or incomplete data completed without undue delay. | Update your account profile, or email [email protected] |
| Right to erasure (Art. 17 GDPR) | You have the right to request deletion of your personal data in certain circumstances, for example when the data is no longer necessary for the purpose for which it was collected, or where you withdraw consent and there is no other legal basis for processing. | Email [email protected] with subject "Erasure Request" |
| Right to restriction of processing (Art. 18 GDPR) | You have the right to request that we restrict processing of your personal data, for example while you contest the accuracy of the data or object to processing based on legitimate interests. | Email [email protected] with subject "Restriction Request" |
| Right to data portability (Art. 20 GDPR) | Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit it to another controller. | Email [email protected] with subject "Portability Request" |
| Right to object (Art. 21 GDPR) | You have the right to object at any time to processing of your personal data based on our legitimate interests (Art. 6(1)(f)). We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, or for the establishment, exercise, or defence of legal claims. | Email [email protected] with subject "Objection - Legitimate Interest" |
| Right to withdraw consent (Art. 7(3) GDPR) | Where we process your data on the basis of your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. Withdrawing consent for cookies can be done via our cookie banner at any time. | Cookie settings link in footer; unsubscribe link in notification emails; or email [email protected] |
| Right not to be subject to automated decision-making (Art. 22 GDPR) | We do not make decisions about you solely by automated means that produce legal or similarly significant effects on you. If this changes, we will update this policy and implement the required safeguards. | Not currently applicable |
| Right to notification of rectification, erasure, or restriction (Art. 19 GDPR) | If we carry out rectification, erasure, or restriction of processing at your request, we will notify each recipient to whom we have disclosed your data, unless this is impossible or involves disproportionate effort. We will inform you of those recipients upon request. | Applied automatically when exercising rights in the rows above |
We may need to verify your identity before processing your request. We will not charge a fee for reasonable requests; however, we may charge a reasonable fee or refuse manifestly unfounded or excessive requests.
8. UK residents (UK GDPR)
If you are located in the United Kingdom, your personal data is processed under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). DontPayFull SRL is not established in the United Kingdom, but as we offer our services to UK residents, the UK GDPR applies to our processing of your personal data under Art. 3 UK GDPR.
Your rights under the UK GDPR are equivalent to those described in Section 6 of this policy (access, rectification, erasure, restriction, portability, object, withdraw consent, Art. 19 notification). To exercise these rights, contact [email protected].
Supervisory authority for UK residents:
The supervisory authority responsible for UK data protection law is:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: www.ico.org.uk
Helpline: 0303 123 1113
You have the right to lodge a complaint with the ICO at any time if you believe we have processed your personal data unlawfully. We encourage you to contact us first at [email protected] so we can try to resolve your concern directly.
International transfers to the UK:
The UK has granted adequacy decisions for transfers from the UK to EU/EEA countries and to certain other countries. For transfers from the UK to the US, we rely on the UK International Data Transfer Agreements (IDTAs) or UK Addendums to EU SCCs, as applicable, with the same processors listed in Section 3.
9. Children
DontPayFull.com is not directed at children and we do not knowingly collect personal data from minors.
GDPR (EU/EEA users): Under Art. 8 GDPR, the age of consent for information society services is 16 years. Residents of EU/EEA member states who are under 16 years of age may not create an account or use consent-based features of DontPayFull.com without the authorisation of their parent or legal guardian.
Global audiences: For users outside the EU/EEA, we apply a minimum age of 13 as a baseline. Users aged 13-15 may only use our service with verifiable parental consent. If you are a parent or guardian and believe your child under the applicable age has provided us with personal data without consent, please contact us at [email protected] and we will delete that data promptly.
We use the date of birth field collected at optional registration to verify that users meet the applicable age threshold.
10. California residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).
Categories of personal information we collect
We collect the following categories of personal information from California residents:
- Identifiers: name, email address, IP-derived location (city/country).
- Commercial information: deal interactions, coupon usage history.
- Internet or other electronic network activity: pages visited, session data, browser and device information.
- Geolocation data: city and country derived from IP address (approximate, not precise GPS location).
- Inferences: preferences inferred from browsing activity for advertising purposes.
Your CCPA/CPRA rights
- Right to Know (Cal. Civ. Code Art. 1798.100): You have the right to know the categories and specific pieces of personal information we have collected about you.
- Right to Delete (Art. 1798.105): You have the right to request deletion of personal information we have collected from you, subject to certain exceptions.
- Right to Correct (Art. 1798.106): You have the right to request correction of inaccurate personal information we maintain about you.
- Right to Opt-Out of Sale/Sharing (Art. 1798.120): You have the right to opt out of the sharing of your personal information with advertising partners for cross-context behavioural advertising.
- Right to Limit Use of Sensitive Personal Information (Art. 1798.121): We do not collect sensitive personal information as defined by CPRA.
- Right to Non-Discrimination (Art. 1798.125): We will not discriminate against you for exercising any of your CCPA/CPRA rights.
Do Not Sell or Share My Personal Information
We do not sell personal information for money. However, sharing personal data with advertising partners (Reddit Ads) for cross-context behavioural advertising constitutes "sharing" under the CPRA.
To opt out of sharing:
- Use our dedicated CCPA Opt-Out page: select "Opt Out" to stop the sharing of your personal information with advertising partners on a going-forward basis.
- Email [email protected] with the subject line "Do Not Sell or Share - California".
How to submit a CCPA request
Email [email protected] with the subject "CCPA Request - [Right you wish to exercise]". We will respond within 45 days. Where necessary, we may extend this period by a further 45 days (to 90 days total) and will notify you of any extension within the initial 45-day period.
Authorised agents
You may designate an authorised agent to submit a CCPA request on your behalf. We may require written verification of the agent's authorisation before processing the request.
11. Canada residents (PIPEDA and Quebec Law 25)
If you are located in Canada, your personal data is processed in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) (S.C. 2000, c. 5) and, for residents of Quebec, additionally in compliance with the Act respecting the Protection of Personal Information in the Private Sector as modernised by Law 25 (An Act to Modernize Legislative Provisions respecting the Protection of Personal Information), which came into full force on 22 September 2023.
DontPayFull SRL is not established in Canada, but as we collect and use personal information from Canadian residents in the course of commercial activity, PIPEDA and applicable provincial legislation apply to our processing of your personal data.
Your rights under PIPEDA and Law 25
- Right of access: You have the right to request access to the personal information we hold about you, to be informed of how it is used, and to whom it has been disclosed.
- Right to challenge accuracy: You have the right to challenge the accuracy and completeness of your personal information and to have it amended where appropriate.
- Right to withdraw consent: Where we rely on your consent to process your personal information, you may withdraw that consent at any time, subject to legal or contractual restrictions and reasonable notice.
- Right to data portability (Quebec Law 25): Residents of Quebec have the right to receive, in a commonly used technological format, personal information you have provided to us, and to have it communicated to any person or body authorised to collect such information.
- Right to erasure (Quebec Law 25): Residents of Quebec have the right to request the erasure of personal information collected, used, or communicated contrary to applicable law, or where it is no longer necessary for the purpose for which it was collected.
- Right to complain: You have the right to lodge a complaint with the supervisory authority listed below.
To exercise any of these rights, email [email protected]. We will respond within 30 days.
Supervisory authorities for Canadian residents
Office of the Privacy Commissioner of Canada (OPC)
30 Victoria Street, Gatineau, Quebec K1A 1H3
Website: www.priv.gc.ca
Toll-free: 1-800-282-1376
Residents of Quebec may also contact:
Commission d'acces a l'information du Quebec (CAI)
Website: www.cai.gouv.qc.ca
Telephone: 1-888-528-7741
12. Australia residents (Privacy Act 1988)
If you are located in Australia, your personal data is handled in compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) contained therein, as amended by the Privacy and Other Legislation Amendment Act 2024.
DontPayFull SRL is not established in Australia, but as we collect and hold personal information about Australian residents in the course of operating a commercial service accessible in Australia, the Privacy Act 1988 applies to our handling of your personal information.
Your rights under the Australian Privacy Principles
- Right of access (APP 12): You have the right to request access to the personal information we hold about you. We will respond within 30 days, subject to limited exceptions permitted under the Privacy Act 1988.
- Right to correction (APP 13): You have the right to request that we correct personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading. We will take reasonable steps to correct it within 30 days of your request.
- Right to complain (APP 1): You have the right to submit a privacy complaint to us in the first instance. If you are not satisfied with our response, you may escalate to the Office of the Australian Information Commissioner (OAIC).
To exercise your rights or submit a privacy complaint, email [email protected]. We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days. If you are not satisfied with our response, you may escalate to:
Office of the Australian Information Commissioner (OAIC)
GPO Box 5218, Sydney NSW 2001
Website: www.oaic.gov.au
Telephone: 1300 363 992
13. Contact
For any questions about this Privacy Policy or about how we process your personal data, please contact us:
Privacy queries: [email protected]
General contact: [email protected]
Postal address: DontPayFull SRL, Str. Zece Mese nr. 9, Ap. 1, 024061 Bucharest, Romania
We aim to acknowledge all privacy-related emails within 5 business days and to provide a substantive response within the statutory one-month period.
14. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our data processing practices, changes in applicable law, or changes to our service.
When we make material changes, we will:
- Update the "Last updated" date at the top of this page;
- Display a notice on DontPayFull.com informing users of the change; and
- Where required by law, seek fresh consent from you before applying changes to consent-based processing.
We encourage you to review this policy periodically. The version in force is always the one published at https://www.dontpayfull.com/privacy-policy.
Previous versions of this policy are available on request by contacting [email protected].