Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Referral and affiliate tracking platform for ecommerce. It drops first party tracking cookies on merchant websites and sends click and conversion events to its backend so that referring partners can be rewarded.
Refericon is a referral and affiliate tracking platform aimed at ecommerce brands. Merchants embed a small JavaScript snippet on their storefront and a dedicated tag on their thank you page, so that every visitor who arrives through a partner link can be attributed to the right publisher and a commission can be paid when the visitor places an order. The product is delivered as a software as a service, with dashboards for merchants, publishers and customers.
Refericon sets a first party referral cookie that stores the identifier of the publisher that brought the visitor, a session cookie used to deduplicate clicks and a persistent visitor identifier used to recognise returning users during the attribution window. On the server it logs the IP address, the user agent, the referring URL, the click and conversion events, the basket value, the order identifier and, when shared by the merchant, a hashed email or customer identifier.
Referral cookies are not strictly necessary to deliver the storefront, so Article 5(3) of the ePrivacy Directive requires prior informed consent before they are written. The server side attribution of orders is a personal data processing under the GDPR, with Refericon acting as a processor for the merchant on the storefront side, and often as a controller for the publisher network and the reward marketplace it operates. National regulators (CNIL, BfDI, AEPD, Garante) treat affiliate trackers as marketing cookies that require an opt in cookie banner.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The Refericon script and conversion tag should be blocked by the consent management platform until the visitor has accepted a marketing or affiliate category. Refusal must be as easy as acceptance, the banner must name Refericon and indicate the US transfer, and the cookie policy must list each Refericon cookie with its purpose and duration. Customers must be able to exercise their access, erasure and objection rights under Articles 15 to 21 GDPR.
Refericon servers are located in the United States, so referral, click and conversion events leave the European Economic Area as soon as they are sent. This transfer relies on standard contractual clauses and, when Refericon self certifies under the EU US Data Privacy Framework, on the framework adequacy decision. A transfer impact assessment is required from the merchant, taking into account the categories of data, the volume, the sensitivity and the possibility of access by US public authorities under FISA 702 and Executive Order 12333.
Sign a data processing agreement with Refericon including the EU standard contractual clauses, gate the script behind opt in consent, configure short retention windows for attribution data, hash any customer identifier before sending it, document the processing in the Article 30 records, run a documented TIA, train the marketing team on cookie compliance and update the privacy and cookie policy with a clear mention of Refericon, the US transfer, the cookies set and the retention.
Websites using Refericon must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended whenever Refericon is deployed at scale, because the referral identifiers combined with order data, IP address and user agent allow systematic tracking of customer journeys across publishers and reward campaigns, which qualifies as profiling under Article 22 GDPR. Document the categories of data, the retention of attribution logs, the sharing with publishers and the legitimate interest balancing test for fraud prevention.
Sample consent text
We use Refericon to credit our referral and affiliate partners when a purchase comes from their link. This drops a first party tracking cookie and sends your click and conversion data to Refericon, hosted in the United States. We need your consent to activate referral tracking. You can accept, refuse or withdraw your consent at any time.
Third-party domains contacted
refericon.comtrack.refericon.comcdn.refericon.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| rfc_ref | http_persistent | 30 days | Stores the publisher referral identifier used to attribute a future conversion to the right partner. |
| rfc_sid | http_session | Session | Session identifier used to deduplicate clicks and link the same visit to a single attribution event. |
| rfc_vid | http_persistent | 1 year | Persistent visitor identifier used to recognise returning users during the attribution window. |
| rfc_utm | http_persistent | 30 days | Stores the marketing parameters of the entry URL for multi touch attribution reports. |
Refericon is an essential service, but transparency matters. Manage all your consent with FlowConsent.
Refericon sets a first party referral cookie holding the publisher identifier, a session cookie for click deduplication and a persistent visitor identifier used during the attribution window. The conversion tag on the thank you page sends order data to Refericon servers without writing additional cookies.
Yes. Affiliate and referral cookies are marketing cookies under Article 5(3) ePrivacy Directive and need explicit opt in. The script must remain blocked until the visitor has accepted a referral or marketing category, with refusal as easy as acceptance.
Consent under Article 6(1)(a) GDPR for the public side cookies and conversion events. Legitimate interest under Article 6(1)(f) GDPR can apply to the server side reconciliation of attributed orders for fraud prevention, provided that a balancing test is documented.
Yes, Refericon hosts its tracking and reporting infrastructure in the United States, so click and conversion data are transferred there. The transfer relies on standard contractual clauses and, when Refericon self certifies, on the EU US Data Privacy Framework, with a documented transfer impact assessment.
A DPIA is recommended whenever Refericon is used at scale, because the combination of referral identifier, IP, user agent and order data enables systematic monitoring and profiling of customers across publishers, which meets the criteria of Article 35 GDPR for high risk processing.
Sign a data processing agreement with EU SCCs, gate the script behind a consent management platform, set short attribution windows, hash any customer identifier before sending, minimise data shared with publishers, run a transfer impact assessment and document the processing in the Article 30 records.
Comparable referral and affiliate platforms include Awin, Rakuten Advertising, Impact, Partnerize, Tradedoubler, Tapfiliate and Referral Candy. Some are EU based or offer EU hosting options, which simplify transfer compliance. The choice depends on hosting, contractual terms and the audience footprint.
Add a dedicated entry that names Refericon, lists each cookie with purpose and duration, identifies Refericon as the recipient, mentions the US transfer and the safeguards in place, links to the Refericon privacy notice and explains how visitors can refuse or withdraw their consent.