Privacy Policy for Wizard Messaging Group Limited

I. Introduction and Scope

Purpose of This Privacy Policy

This Privacy Policy outlines the practices of Wizard Messaging Group Limited ("the company," "we," or "us") concerning the collection, utilization, storage, and sharing of personal data when individuals interact with the company's affiliate marketing services, website, or other platforms. The policy is meticulously crafted to be concise, transparent, intelligible, easily accessible, and to employ clear and plain language, in strict adherence to the requirements of the UK General Data Protection Regulation (UK GDPR). This approach ensures that individuals, including children if their data is processed, possess a clear understanding of how their personal information is handled. The company's fundamental commitment is to safeguard individual privacy and personal data in accordance with all applicable laws, thereby fostering trust and demonstrating accountability in its data management practices.

About Wizard Messaging Group Limited

Wizard Messaging Group Limited is a UK-based entity specializing in affiliate marketing. The company's core function involves establishing and managing connections between advertisers and publishers to facilitate the promotion of products and services. This process enables seamless transactions and the precise attribution of commissions to affiliate partners. The company's operational model typically involves tracking user interactions across digital platforms to ensure that sales and leads are accurately credited to the appropriate affiliate partners.

Applicable Data Protection Laws

The data processing activities undertaken by Wizard Messaging Group Limited are primarily governed by a robust legislative framework in the United Kingdom. This framework includes the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). These statutes collectively establish rigorous standards for the collection and processing of personal data within the UK, mirroring the foundational objectives of the original EU GDPR, which aims to protect individual privacy and rights comprehensively.

Beyond these overarching regulations, the company's use of cookies and other similar tracking technologies, which are integral to the functionality of affiliate marketing, is specifically regulated by the Privacy and Electronic Communications Regulations 2003 (PECR). The Information Commissioner’s Office (ICO) serves as the independent authority responsible for enforcing these regulations and upholding information rights in the UK.

The legal landscape governing data protection in the UK for online businesses, particularly those engaged in affiliate marketing, presents a multifaceted compliance challenge. This arises from the distinct yet interconnected requirements of the UK GDPR, the Data Protection Act 2018, and PECR. While the UK GDPR and DPA 2018 provide the overarching principles for processing personal data, PECR specifically addresses the rules for placing and accessing information on a user's device, such as through cookies. Affiliate marketing inherently relies on these tracking technologies for its core functionality, including tracking clicks, conversions, and attributing sales to specific affiliate partners. Therefore, a privacy policy for an affiliate marketing company cannot solely focus on general data processing under the UK GDPR; it must explicitly and thoroughly address cookie compliance under PECR. The ICO's ongoing consultations concerning online advertising and the use of cookies, including the impact of the Data (Use and Access) Act 2025, further highlight that this is a dynamic area of law, necessitating continuous monitoring and potential future adjustments to the policy and underlying operational practices. This means the company must implement a comprehensive privacy policy that clearly differentiates between general personal data processing and the specific rules for deploying and accessing information via cookies. This also mandates a prominent and user-friendly cookie consent mechanism that adheres to PECR's requirements for "clear and comprehensive information" and "appropriate means of consenting".

Key Definitions

To ensure clarity and understanding of this Privacy Policy, the following key terms are defined:

  • Personal Data: Any information that relates to an identified or identifiable natural person, referred to as a data subject. In the context of affiliate marketing, this definition is particularly broad and crucial, encompassing online identifiers such as cookie IDs, IP addresses, and device IDs. These identifiers are routinely captured by affiliate networks and platforms as part of their standard tracking processes. The classification of these identifiers as personal data under UK GDPR fundamentally alters the compliance obligations for affiliate marketing companies. This necessitates that all processing activities involving these identifiers, even if solely for affiliate attribution, fall under the full scope of UK GDPR principles, including the requirement for a lawful basis, transparency, data minimization, and robust security measures. This means that merely tracking a cookie ID for commission purposes is no longer a purely technical or commercial activity but a legally regulated data processing operation. This also connects directly to the principle of "Purpose Limitation," implying that if a cookie ID is collected primarily for commission tracking, any subsequent use for unrelated purposes, such as extensive profiling for targeted advertising beyond the initial stated purpose, would require a new lawful basis and explicit notification to the data subject.
  • Processing: Any operation or set of operations performed on personal data, whether or not by automated means. This includes a wide range of actions such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  • Controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In the context of its affiliate marketing operations, Wizard Messaging Group Limited acts as a Controller for the personal data it collects and utilizes for its own business purposes.
  • Processor: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller. Processors are required to act only on documented instructions from the Controller and have their own liabilities under UK GDPR.
  • Affiliate Marketing: A performance-based marketing model where affiliates (publishers) promote products or services of merchants (advertisers) and receive a commission for sales or leads generated through unique tracking links provided by the company or an affiliate network.
  • ICO: The Information Commissioner's Office, the UK's independent authority established to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

II. Our Data Protection Principles

Wizard Messaging Group Limited adheres strictly to the seven fundamental principles of the UK GDPR. These principles serve as the guiding tenets for all data processing activities undertaken by the company, establishing a robust framework for safeguarding personal data and ensuring compliance.

Lawfulness, Fairness, and Transparency

Personal data is processed lawfully, fairly, and in a transparent manner. This means that the company always has a legitimate and clear reason for processing personal data, and its practices are open and understandable to individuals. This Privacy Policy is the primary instrument for achieving this transparency, clearly informing individuals about the company's data practices in an easily digestible format.

Purpose Limitation

Personal data is collected for specified, explicit, and legitimate purposes directly related to the company's affiliate marketing operations, such as tracking sales and calculating commissions. The data is not processed further in a manner that is incompatible with those initial, clearly defined purposes. This ensures that data is used only for the reasons it was originally collected.

Data Minimisation

The company ensures that the personal data collected is adequate, relevant, and strictly limited to what is necessary to achieve the stated purposes. A concerted effort is made to collect the absolute minimum amount of data required to operate services effectively, thereby reducing the potential privacy impact.

Accuracy

All reasonable steps are taken to ensure that personal data is accurate and, where necessary, kept up to date. Should any inaccuracies be identified, the company commits to promptly rectifying or erasing the erroneous data to maintain its integrity.

Storage Limitation

Personal data is retained for no longer than is necessary for the purposes for which it was collected and processed. The company has established clear data retention periods based on legal obligations, industry standards, and specific business needs, ensuring that data is securely disposed of once its purpose is fulfilled.

Integrity and Confidentiality (Security)

Personal data is processed in a manner that ensures appropriate security, including protection against unlawful or unauthorized processing, accidental loss, destruction, or damage. This is achieved through the implementation of robust technical and organizational measures designed to mitigate risks and safeguard information.

Accountability

Wizard Messaging Group Limited is responsible for, and must be able to demonstrate compliance with, all the UK GDPR principles. This includes maintaining comprehensive records of processing activities and documenting decisions related to data protection practices.

The principle of accountability holds particular significance for an affiliate marketing company due to the intricate and often multi-party data flows inherent in its business model. Affiliate marketing frequently involves interactions between publishers, advertisers, affiliate networks, and payment processors, leading to complex data exchanges. The UK GDPR mandates that data controllers not only comply with the regulations but also actively demonstrate their compliance. This extends beyond merely having a publicly accessible privacy policy; it necessitates robust internal mechanisms to prove adherence to data protection principles. For Wizard Messaging Group Limited, this means maintaining detailed records of all processing activities, conducting Data Protection Impact Assessments (DPIAs) for any new projects or processing activities that may pose a high risk to individuals' rights and freedoms. It also requires documenting assessments of lawful bases, meticulously maintaining records of consent obtained, establishing clear and justifiable data retention schedules, and thoroughly logging all data breach incidents. This proactive and verifiable approach to compliance is essential for mitigating regulatory risks and avoiding potentially significant fines for non-compliance.

III. Personal Data We Collect

Wizard Messaging Group Limited collects various types of personal data to effectively operate its affiliate marketing services, ensure accurate commission attribution, and fulfil its legal obligations. The nature and source of this data are outlined below.

Categories of Personal Data

  • Online Identifiers: These identifiers are fundamental to the company's affiliate marketing operations. They include IP addresses, cookie IDs, and device IDs. These identifiers are crucial for tracking user interactions, attributing clicks and conversions to specific affiliate links, and facilitating the accurate calculation of commissions.
  • Contact Details: If an individual chooses to sign up for newsletters, create an account, or engage with specific offers directly through the company's platform, personal contact details such as name and email address may be collected.
  • Transactional Data: This category includes information related to purchases or other specified actions completed through affiliate links. This data is essential for the precise calculation and attribution of commissions to the company's affiliate partners. The company strives to ensure that reports shared with affiliates contain only aggregated or anonymized data, such as the date and product sold, without including personal information about the individual user.
  • Usage Data: This encompasses information about how individuals interact with the company's website and affiliate links, including pages visited, links clicked, time spent on pages, and referral sources. This data is instrumental in understanding user behavior and continuously improving the company's services. This type of data may be collected via various analytics tools.
  • Technical Data: Information pertaining to the device and browser used to access the company's services, such as browser type, operating system, and referring URLs, is also collected.
  • Special Category Data: Wizard Messaging Group Limited does not intentionally collect special category data, which includes sensitive information such as data revealing racial or ethnic origin, political opinions, religious beliefs, health data, or data concerning a person's sex life or sexual orientation. In the unlikely event that such data were incidentally processed, stricter safeguards and specific lawful bases would be applied.

Sources of Personal Data

  • Directly from Individuals: Personal data is collected directly from individuals when they interact with the company's website, sign up for services, or voluntarily provide information through forms or direct communications.
  • From Affiliate Partners/Merchants: The company receives data related to transactions or referrals originating from its affiliate links from its affiliate partners and the merchants whose products or services are promoted. This data is critical for validating sales and accurately attributing commissions.
  • From Third-Party Tracking Technologies: A significant portion of the data, particularly online identifiers, is collected via cookies and similar technologies that are placed on an individual's device when they click on affiliate links or visit the company's website.
  • From Analytics Providers: The company utilizes third-party analytics services, such as Google Analytics, which collect certain information and provide insights into users' patterns of behaviour on the website.

Affiliate marketing inherently relies on tracking technologies like cookies to link user actions to specific affiliate referrals. While some data collection, such as email sign-ups, is explicit, the collection of online identifiers like IP addresses, cookie IDs, and device IDs often occurs implicitly when a user simply clicks an affiliate link or visits a tracked page. UK GDPR mandates transparency and the "right to be informed" at the time of direct data collection, or, for indirectly obtained data, within a reasonable period (no later than one month) or at the latest when the data is first used or disclosed. This presents a particular challenge for implicitly collected data. Therefore, the company's privacy policy must go beyond merely listing data categories; it must clearly articulate how these often-invisible online identifiers are collected (e.g., through cookies, automatically by the browser) and from what sources (direct interaction, affiliate partners, third-party analytics). This necessitates a prominent and user-friendly cookie consent banner or pop-up that explains the use of affiliate tracking cookies before they are set on the user's device. Furthermore, the policy should emphasize the company's due diligence when receiving data from third parties, ensuring that the original source has provided adequate privacy information to the individual.

A fundamental principle of UK GDPR is data minimisation, which dictates that only data necessary for the intended purpose should be collected. However, affiliate marketing, by its very nature, relies on specific identifiers such as cookie IDs and IP addresses to function—these are essential for accurately attributing sales and calculating commissions. This creates an inherent tension between strictly limiting data collection and enabling the core business model. The company addresses this by explicitly stating that the collection of certain online identifiers is necessary for the core functionality of its affiliate program (tracking, attribution, commission calculation). Concurrently, the company commits to implementing data minimisation strategies wherever possible. This includes, for instance, anonymizing or aggregating data for reporting, analytics, or other purposes where individual identification is not strictly required, thereby demonstrating adherence to the principle without hindering essential business operations.

IV. How We Use Your Personal Data (Purposes of Processing)

Wizard Messaging Group Limited utilizes personal data for specific, explicit, and legitimate purposes, all of which are meticulously aligned with its affiliate marketing operations and its unwavering commitment to delivering valuable services.

Operating Affiliate Marketing Services

Personal data is processed to facilitate the core functions of the company's affiliate marketing activities. This includes tracking clicks, conversions, and sales that originate from affiliate links, thereby ensuring precise attribution to the correct affiliate partner. This data is also used to accurately calculate and attribute commissions to affiliate partners. Furthermore, data aids in the effective management and optimization of affiliate programs and relationships with both publishers and merchants.

Service Improvement and Analytics

The company leverages personal data to gain a deeper understanding of user behavior, preferences, and engagement with its website and affiliate offers. This analytical approach helps in identifying popular products, effective marketing channels, and areas ripe for improvement. Data is also used to analyze trends, monitor the overall performance of services, enhance website functionality, and continuously improve the user experience. Additionally, insights derived from data processing contribute to the development of new services, features, and content that are relevant and valuable to both users and partners.

Marketing Communications

Where an appropriate lawful basis exists, personal data is utilized to send newsletters, promotional offers, and updates about products, services, or opportunities that may be of interest to individuals. This encompasses various direct marketing activities. The company may also tailor and personalize its communications based on individual interests and past interactions, provided such personalization is permissible under applicable data protection laws.

Security and Fraud Prevention

Personal data plays a critical role in detecting, preventing, and investigating fraudulent activities, unauthorized access, and other security incidents that could potentially compromise the company's services or data. This processing ensures the integrity and confidentiality of the company's systems, data, and the financial transactions facilitated through its platform.

Legal and Regulatory Compliance

Data processing is also conducted to ensure compliance with various legal obligations. This includes responding to lawful requests from governmental or regulatory authorities, and fulfilling statutory tax and accounting requirements. Furthermore, personal data may be processed to enforce the company's terms and conditions, resolve disputes, and protect its legal rights and interests.

Data in affiliate marketing serves a dual purpose: it is essential for core operational functionality and also contributes to value-added services. The primary operational purpose involves tracking clicks, conversions, and attributing commissions, which forms the fundamental mechanism of the business. Separately, data is utilized for broader business intelligence, such as understanding customer preferences, improving the overall user experience, and enhancing the company's bottom line through analytics. This distinction is crucial because the legal justification for each purpose may differ. Core functionality, such as tracking for commission attribution, might often rely on legitimate interests, given the user's reasonable expectation when clicking an affiliate link, provided that consent for the cookie itself is obtained under PECR. However, more extensive uses, such as direct marketing communications or detailed profiling for targeted advertising, will likely necessitate explicit consent, particularly for new prospects. The privacy policy must clearly delineate these distinct purposes and their corresponding lawful bases to maintain transparency and ensure compliance.

The landscape of online advertising is continuously evolving, which impacts how data purposes are viewed. The ICO is currently conducting consultations on its approach to enforcing PECR consent requirements for online advertising, exploring a "risk-based approach" that might permit certain "non-essential cookies without consent for specific low-risk functions, such as statistical analysis". This indicates a potential future shift in how certain analytical or ad delivery purposes are legally interpreted regarding consent. While Wizard Messaging Group Limited's policy must currently adhere to the existing stringent PECR consent requirements for non-essential cookies, the company recognizes that the regulatory interpretation of "purpose" for advertising and analytics may evolve. This necessitates ongoing monitoring of ICO guidance and legal developments, such as those stemming from the Data (Use and Access) Act 2025, and a readiness to update the privacy policy and underlying consent mechanisms if new, less stringent requirements for low-risk analytical purposes come into effect.

V. Our Lawful Bases for Processing

Under the UK GDPR, Wizard Messaging Group Limited is legally obligated to establish a valid lawful basis for processing any personal data. The company relies on one or more of the following six legal bases, ensuring that each processing activity has a clear, justifiable, and documented foundation.

Explanation of Legal Bases

  • Consent: This basis applies when an individual has given clear, affirmative consent for the company to process their personal data for one or more specific purposes. Consent must be freely given, specific, informed, and unambiguous. In the context of affiliate marketing, consent is particularly relevant for the placement of non-essential cookies under PECR and for direct marketing activities targeting new prospects.
  • Contract: Processing is necessary for the performance of a contract to which the individual is a party, or to take steps at the individual's request prior to entering into a contract. This basis applies when an individual directly engages with the company for a service where data processing is an integral part of fulfilling the company's contractual obligations.
  • Legitimate Interest: Processing is necessary for the purposes of the legitimate interests pursued by Wizard Messaging Group Limited or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. This basis is often considered appropriate where data use is "reasonably expected" by the individual and has a "minimal privacy impact," or where there is a compelling justification for the processing.
  • Legal Obligation: Processing is necessary for compliance with a legal obligation to which the company is subject. This includes adherence to statutory or regulatory requirements, such as financial reporting or responding to lawful requests from authorities.
  • Vital Interests: Processing is necessary to protect the vital interests of the data subject or of another natural person. This basis is typically reserved for life-or-death situations and is rarely applicable in the context of affiliate marketing operations.
  • Public Task: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This basis is generally not applicable to private commercial entities like Wizard Messaging Group Limited.

Specific Lawful Bases for Our Processing Activities

  • For Affiliate Tracking (via cookies for attribution):
  • Consent (Primary for non-essential cookies): For placing and accessing non-essential cookies (e.g., affiliate IDs for tracking, analytics cookies) on a user's device, explicit, informed consent is generally required under PECR. This is a distinct requirement from the UK GDPR lawful basis for processing the personal data after it has been collected.
  • Legitimate Interest (for processing data post-collection, where cookie consent is obtained): Once the cookie has been lawfully placed with consent, the subsequent processing of the personal data collected (e.g., for commission attribution, fraud prevention, aggregated analytics, internal reporting) may be based on the company's legitimate interest in operating its business effectively and profitably. This reliance requires a thorough Legitimate Interests Assessment (LIA) to ensure the company's interests are not overridden by the individual's fundamental rights and freedoms.
  • For Marketing Communications:
  • Consent: For sending marketing emails to new prospects or for certain types of targeted advertising, explicit consent is typically required. This often involves an active opt-in or double opt-in process to ensure unambiguous indication of choice.
  • Legitimate Interest: For sending marketing communications to existing customers with whom the company has an established relationship (often referred to as the "soft opt-in" under PECR), provided they have been given a clear opportunity to opt-out and have not done so. This still necessitates a robust LIA under UK GDPR to justify the processing.
  • For Service Improvement and Analytics:
  • Legitimate Interest: For internal analytics, research, and service improvement, particularly where data is aggregated or pseudonymized and has a minimal privacy impact. However, for the placement of analytics cookies themselves, consent is still required under PECR.
  • For Contractual Obligations:
  • Contract: If an individual enters into a direct agreement with the company (e.g., as a publisher or advertiser), personal data necessary to fulfill contractual obligations (e.g., payment processing, account management, providing access to services) will be processed under this basis.
  • For Legal Compliance:
  • Legal Obligation: Personal data required by law, such as maintaining financial records for tax purposes or responding to legitimate requests from law enforcement or regulatory bodies, will be processed under this basis.

A critical aspect of compliance for Wizard Messaging Group Limited is understanding the dual layer of consent required under UK data protection law: one for cookies under PECR and another for data processing under UK GDPR. Multiple sources clearly differentiate between consent for placing cookies and consent as a lawful basis for data processing. PECR mandates explicit consent for placing "non-essential cookies" on a user's device, such as affiliate IDs for tracking. Separately, UK GDPR outlines six lawful bases for processing personal data, which may include consent. This highlights a crucial two-step compliance requirement: first, obtain valid PECR consent to access or store information on the user's device (e.g., to set an affiliate tracking cookie); second, identify a valid UK GDPR lawful basis (which could be consent again, or legitimate interest, among others) for the subsequent processing of the personal data collected via that cookie. It is explicitly stated that ePrivacy laws "provide no other option than consent for embedding such kind of unnecessary cookies". Consequently, Wizard Messaging Group Limited cannot simply rely on legitimate interest for all data processing related to affiliate tracking. It must implement a robust, explicit, and granular consent mechanism for non-essential tracking cookies before they are placed on a user's device. The privacy policy must clearly explain this two-step process to users, ensuring they understand that consenting to a cookie allows the collection of data, which is then processed under a separate, disclosed lawful basis.

The reliance on "legitimate interest" as a lawful basis for processing personal data in affiliate marketing requires careful consideration and carries inherent nuances and risks. While this basis is common and often appropriate in digital advertising, particularly where processing is "reasonably expected" by the individual and has a "minimal privacy impact" , Article 6(1)(f) of UK GDPR stipulates that legitimate interests must not be "overridden by the interests or fundamental rights and freedoms of the data subject". For an affiliate marketing company, the extensive tracking of user behavior across various websites for commercial gain, even if data is subsequently anonymized for reporting to affiliates, could be perceived as intrusive by individuals, potentially overriding their privacy rights. Therefore, while legitimate interest can be a valid basis for certain processing activities (e.g., internal analytics, fraud prevention, or marketing to existing customers under the "soft opt-in" rule), its application for direct marketing to new prospects or for extensive profiling without clear user expectation carries significant regulatory risk. Wizard Messaging Group Limited must conduct thorough Legitimate Interests Assessments (LIAs) for each specific processing activity where this basis is relied upon. These LIAs must meticulously balance the company's commercial interests against individual privacy rights, document the necessity and proportionality of the processing, and consider potential safeguards such as pseudonymization or aggregation. The privacy policy should articulate these legitimate interests clearly and transparently, providing sufficient detail for individuals to understand the balancing exercise undertaken by the company.

VI. Cookies and Other Tracking Technologies

The website and services provided by Wizard Messaging Group Limited utilize cookies and similar technologies to ensure effective functionality, enhance the user experience, and support its affiliate marketing operations. The company's practices in this area are designed to comply fully with the Privacy and Electronic Communications Regulations 2003 (PECR) and the UK GDPR.

What Are Cookies?

A cookie is a small file comprising letters and numbers that is downloaded onto a user's computer or device when they visit a website. Cookies serve a variety of functions, including remembering user preferences, tracking items in a shopping basket, counting website visitors, and, crucially for the company, facilitating affiliate tracking. PECR also extends its coverage to similar technologies that store or access information on a user's device, such as 'Flash cookies' and device fingerprinting.

How We Use Cookies

  • Essential Cookies: These cookies are strictly necessary for the fundamental operation of the company's website and services, such as maintaining user sessions or ensuring security. These cookies do not require user consent under PECR.
  • Affiliate Tracking Cookies: These cookies are indispensable to the company's business model. When a user clicks on an affiliate link, a unique cookie containing an affiliate ID is stored on their device. This cookie enables the company to attribute any subsequent purchases or actions to the correct affiliate partner, thereby allowing for accurate commission calculation and payment. As these cookies are generally not strictly necessary for the website's basic functionality, they require explicit user consent.
  • Analytics Cookies: These cookies are employed to collect information about how users interact with the company's website, including pages visited, time spent on pages, and any errors encountered. This data helps the company understand user behavior, improve website performance, and enhance the overall user experience. These cookies are non-essential and therefore require explicit user consent.
  • Advertising/Marketing Cookies: These cookies may be used to deliver more relevant advertisements to users on other websites based on their inferred interests, or to measure the effectiveness of the company's advertising campaigns. These are also non-essential cookies and require explicit user consent.

Your Choices and Consent Mechanisms

Wizard Messaging Group Limited is committed to providing users with clear and comprehensive information regarding its use of cookies. For any cookie that is not strictly necessary for the functioning of the website, explicit consent is obtained before it is set on a user's device. This is typically achieved through a prominent cookie consent banner or pop-up presented when a user first visits the site. User consent must be freely given, specific, informed, and unambiguous. The company utilizes active opt-in mechanisms, such as clear tick boxes or buttons, to ensure that user choice is explicit and clear.

Users retain the right to withdraw their consent at any time, and the company provides an easy-to-use mechanism to facilitate this, typically accessible through its cookie settings or a dedicated privacy dashboard. Furthermore, users can manage their cookie preferences directly through their web browser settings. Most modern browsers offer options to delete all cookies, block all cookies, allow all cookies, or block 'third-party' cookies specifically. The company provides links to instructions for managing cookies in common browsers, including Microsoft Edge, Chrome, Firefox, Safari, and Opera. While some browsers incorporate a 'Do Not Track' (DNT) feature, it is important to note that websites are not universally required to recognize this request, and thus its effectiveness may vary.

Compliance with PECR

The company's cookie practices are meticulously designed to comply fully with the Privacy and Electronic Communications Regulations 2003 (PECR), which are enforced by the ICO. The company continuously monitors ICO guidance, including ongoing consultations regarding a risk-based approach to enforcement and changes introduced by the Data (Use and Access) Act 2025. This Act may, in the future, permit certain non-essential cookies for specific low-risk functions, such as statistical analysis, without requiring explicit consent. The company is committed to adapting its practices and this policy as regulatory interpretations evolve to ensure ongoing compliance.

Obtaining granular cookie consent for affiliate marketing presents a significant practical challenge. Affiliate marketing fundamentally "relies on cookies to attribute sales" and requires "publishers to explicitly get the consent of website visitors before collecting cookie data". Furthermore, ePrivacy laws "provide no other option than consent for embedding such kind of unnecessary cookies" like affiliate IDs. The difficulty for Wizard Messaging Group Limited lies in the requirement for consent to be "specific and informed" for potentially multiple affiliate networks, advertisers, or tracking purposes, without overwhelming the user with overly complex choices. A simple "accept all" button may not meet the specificity requirement. This necessitates the implementation of a sophisticated Consent Management Platform (CMP) that allows users to make informed and granular choices about which categories of cookies they consent to, while still ensuring the core functionality of the affiliate program can operate where consent is given.

VII. How We Share Your Personal Data

Wizard Messaging Group Limited may share personal data with various third parties to operate its affiliate marketing services, fulfill contractual obligations, and comply with legal requirements. All data sharing is conducted in accordance with UK GDPR principles, ensuring transparency, purpose limitation, and appropriate safeguards.

Categories of Recipients

  • Affiliate Partners (Publishers): While the company strives to provide reports to affiliates that contain only aggregated or anonymized data (e.g., date and product sold, without personal information) , in certain scenarios, limited personal data may be shared if it is strictly necessary for the performance of a contract (e.g., to verify a specific transaction tied to a unique user ID if explicitly required for commission validation) and a lawful basis exists. Such sharing would be governed by data processing agreements.
  • Merchants/Advertisers: When a user completes a purchase or action through an affiliate link, certain transactional data (which may include online identifiers linked to the transaction) is shared with the relevant merchant or advertiser for the purpose of validating the sale and attributing the commission. This sharing is essential for the affiliate marketing model to function.
  • Affiliate Networks: The company may work with third-party affiliate networks that facilitate the connections between publishers and merchants. These networks often act as processors or joint controllers and will receive data necessary for tracking, reporting, and commission payments. Data sharing with such entities is governed by robust Data Protection Agreements (DPAs) to ensure compliance with UK GDPR Article 28 requirements, which mandate documented instructions and security guarantees.
  • Service Providers (Processors): The company engages various third-party service providers who perform functions on its behalf, such as hosting, analytics, payment processing, customer support, and IT services. These providers act as data processors and are only permitted to process personal data on documented instructions from the company and are bound by strict contractual obligations and confidentiality agreements.
  • Legal and Regulatory Authorities: Personal data may be disclosed to law enforcement agencies, regulatory bodies, or other governmental authorities if required by law, court order, or to protect the company's legal rights and interests.
  • Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of its assets, personal data may be transferred to the acquiring entity, provided that the new entity adheres to data protection standards consistent with this Privacy Policy.

Data Sharing Practices and Accountability

The company's data sharing practices are guided by the ICO's Data Sharing Code of Practice, which emphasizes fairness, transparency, and accountability. When sharing personal data with other controllers, the company ensures that a lawful basis exists for the disclosure. For data shared with processors, written contracts are in place detailing the scope of processing and security measures. The company also conducts due diligence on third parties to ensure they meet data protection standards.

VIII. International Data Transfers

Wizard Messaging Group Limited may, in certain circumstances, transfer personal data to countries outside the United Kingdom. Such transfers are undertaken with the utmost care to ensure that personal data remains protected to the standards required by UK GDPR.

Safeguards for International Transfers

Transfers of personal data outside the UK are only conducted if appropriate safeguards are in place, as mandated by UK GDPR. These safeguards are designed to ensure that the level of protection afforded to personal data is not undermined. Common safeguards include:

  • Adequacy Decisions: Transfers to countries that have been deemed by the UK government to provide an adequate level of data protection.
  • Standard Contractual Clauses (SCCs): Implementing legally binding agreements that incorporate standard data protection clauses approved by the UK government or the European Commission (as adopted by the UK). These clauses impose specific obligations on the data importer to protect the data.
  • Binding Corporate Rules (BCRs): For transfers within a group of undertakings, BCRs provide a robust framework for international data transfers, subject to approval by the ICO.
  • Other Derogations: In specific, limited circumstances, transfers may occur based on explicit consent, the necessity for the performance of a contract, or for the establishment, exercise, or defense of legal claims.

The company ensures that any third parties involved in international data transfers are contractually bound to uphold these safeguards and process data in accordance with UK data protection laws.

IX. Data Retention

Wizard Messaging Group Limited adheres to the UK GDPR principle of "storage limitation," which mandates that personal data must not be kept for longer than is necessary for the purposes for which it was processed. While the UK GDPR and Data Protection Act 2018 do not specify exact time limits for all data types, they place the onus on the company to define and justify its retention periods.

Determining Retention Periods

The company determines appropriate retention periods for different categories of personal data based on several key criteria:

  • Purpose of Data Processing: Data is retained only for as long as it is needed to fulfill the specific purpose for which it was collected. For example, data collected for commission attribution is kept only as long as necessary for accurate payment, reconciliation, and dispute resolution.
  • Legal and Regulatory Requirements: Certain types of data have statutory retention periods mandated by UK laws. For instance, tax and accounting records may need to be kept for six to seven years.
  • Business Needs: Data may be retained for legitimate business needs, such as managing warranties, resolving customer disputes, or meeting customer expectations, provided these needs do not override individual rights.
  • Industry Standards and Guidelines: The company considers relevant industry standards and guidelines for data retention, particularly within the affiliate marketing and digital advertising sectors.
  • Risk Mitigation: Retaining less unnecessary data reduces the risk of data breaches, leaks, or regulatory fines.

Data Retention Policy Implementation

The company has established an internal data retention policy that specifies how long each type of data is kept and the justification for that timeframe. This policy also outlines secure disposal procedures for when data is no longer required, ensuring it is securely deleted, destroyed, or anonymized. The company regularly reviews and updates its data retention policy, at least annually or whenever there are changes in business practices or regulations, to ensure that retention periods remain justified and processes are followed.

For marketing data, while no universal time limit is prescribed, the company periodically reviews its marketing lists for relevance and ensures that personal data used for marketing is not retained longer than necessary, especially if consent is withdrawn or individuals object to processing. Anonymized data, which no longer identifies individuals, may be retained for longer periods for statistical analysis and business planning.

X. Data Security

Wizard Messaging Group Limited is committed to ensuring the security and confidentiality of personal data. Robust technical and organizational measures are implemented to protect personal data from unlawful or unauthorized processing, accidental loss, destruction, or damage. The company understands that appropriate security measures are crucial for maintaining trust and complying with UK GDPR.

Technical Measures

Technical measures are controls designed to mitigate vulnerabilities in systems, networks, and devices. These include:

  • Encryption and Pseudonymisation: Personal data is encrypted both in transit and at rest where appropriate, and pseudonymisation techniques are used to reduce direct identifiability, particularly for analytical purposes.
  • Access Controls: Strict access controls, including multi-factor authentication (MFA) and strong password policies, are implemented to ensure that only authorized personnel can access personal data.
  • Network Security: Firewalls, intrusion detection systems, and other network security tools are utilized to protect against unauthorized access and cyber threats.
  • Software and Threat Detection: Antivirus and anti-malware software are deployed, along with threat detection tools, to identify and address technical flaws and potential security incidents.
  • Regular Backups: Data is regularly backed up to prevent loss due to system failures or other incidents.

Organisational Measures

Organisational measures are policies and processes implemented to protect personal information and often support technical measures. These include:

  • Information Security Policies: Comprehensive policies govern the company's overall approach to data protection and UK GDPR compliance, outlining procedures for data handling, storage, and sharing.
  • Staff Awareness Training: All employees receive regular training on UK GDPR compliance, data protection principles, and how to handle personal data securely. This ensures that employees understand their responsibilities and are equipped to recognize and report data breaches promptly.
  • Risk Assessments: Regular risk assessments are conducted to identify information security threats and determine appropriate controls, ensuring that security measures are relevant to the risks faced.
  • Incident Response Plan: A detailed business continuity and incident response plan is in place to explain the actions the company will take in response to an information security incident, including steps for containment, assessment, notification, and review.
  • Data Protection Agreements (DPAs): Strong contractual controls are established with third-party data processors to ensure they adhere to necessary UK GDPR requirements and implement appropriate security measures.

XI. Your Data Protection Rights

Under the UK GDPR and Data Protection Act 2018, individuals have specific rights concerning their personal data, with some exceptions. Wizard Messaging Group Limited is committed to facilitating the exercise of these rights.

  • The Right to Be Informed: Individuals have the right to be informed about the collection and use of their personal data. This Privacy Policy serves as the primary means of fulfilling this right, providing clear and concise information about data processing activities.
  • The Right of Access: Individuals have the right to request a copy of the personal data held about them by the company. This allows individuals to verify the lawfulness of the processing.
  • The Right to Rectification: Individuals have the right to request that inaccurate or incomplete personal data be corrected or updated without undue delay.
  • The Right to Erasure (also known as the 'right to be forgotten'): Individuals can request the deletion or removal of their personal data where there is no compelling reason for its continued processing.
  • The Right to Restrict Processing: Individuals have the right to 'block' or suppress the processing of their personal data in certain circumstances, for example, if they contest the accuracy of the data or object to its processing.
  • The Right to Data Portability: This right allows individuals to obtain and reuse their personal data for their own purposes across different services. It permits individuals to request their data in a structured, commonly used, and machine-readable format.
  • The Right to Object: Individuals have the right to object to the processing of their personal data in certain circumstances, particularly where the processing is based on legitimate interests or for direct marketing purposes.
  • Rights in Relation to Automated Decision-Making and Profiling: Individuals have rights concerning decisions made solely based on automated processing, including profiling, that produce legal effects concerning them or similarly significantly affect them. The company does not currently engage in automated decision-making that produces such effects.
  • The Right to Withdraw Consent: Where processing is based on consent, individuals have the right to withdraw that consent at any time. This withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

To exercise any of these rights, individuals are encouraged to contact the company using the details provided in the "Contact Us" section of this Privacy Policy. The company will respond to requests without undue delay and within one month of receipt, as required by UK GDPR.

XII. Data Breach Notification

In the event of a personal data breach, Wizard Messaging Group Limited has established robust detection, investigation, and internal reporting procedures to facilitate decision-making about notification requirements.

Notification to the Supervisory Authority (ICO)

The company has a duty to report certain personal data breaches to the Information Commissioner's Office (ICO). This notification will be made without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in a risk to individuals' rights and freedoms. If the notification is not made within 72 hours, it will be accompanied by reasons for the delay. The notification to the ICO will include a description of the nature of the personal data breach, the categories and approximate number of individuals and records concerned, the name and contact details of the Data Protection Officer (if applicable) or other contact point, a description of the likely consequences, and the measures taken or proposed to deal with the breach and mitigate adverse effects.

Communication to Affected Individuals

If a personal data breach is likely to result in a high risk of adversely affecting individuals' rights and freedoms, the company will also inform those individuals directly and without undue delay. This communication will take place as soon as possible, particularly if there is a need to mitigate an immediate risk of damage to them. The decision not to notify individuals will be documented in line with the accountability principle, and the ICO retains the power to compel notification if it deems there is a high risk.

Record Keeping

Regardless of whether a breach requires notification to the ICO or affected individuals, the company maintains a comprehensive record of all personal data breaches. This documentation includes the facts relating to the breach, its effects, and the remedial action taken, enabling the ICO to verify compliance.

XIII. Changes to This Privacy Policy

Wizard Messaging Group Limited regularly reviews and, where necessary, updates its privacy information to reflect changes in its data processing activities, legal requirements, or best practices. Any new uses of an individual's personal data will be brought to their attention before the new processing commences.

This Privacy Policy may be updated periodically to ensure it remains accurate, comprehensive, and compliant with evolving data protection laws. The most current version of the policy will always be available on the company's website. Material changes to this policy will be communicated through appropriate channels, such as prominent notices on the website or direct communication, where legally required or deemed necessary.

XIV. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or the company's data protection practices, individuals may contact Wizard Messaging Group Limited using the following details:

Wizard Messaging Group Limited

info@wizmsg.com

Individuals also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if they have concerns about how their data is being handled. The ICO can be contacted via their website at ico.org.uk or by calling their helpline.