Privacy Policy

1. Data We Collect

We collect only the data necessary to operate and improve the Service. This falls into three categories:

1.1 Account & Profile Data

When you create an account, we collect:

• Full name — used to personalise your dashboard and bio page.
• Email address — used for account authentication, transactional emails, and support.
• Hashed password — stored using a one-way cryptographic hash; we cannot read your plain-text password.
• Google account ID & profile picture — only if you choose to sign in via Google OAuth. We do not access your Google contacts, Drive, or any other Google data.
• Profile avatar — an optional image you upload to display on your bio page.
• Account creation date & last login timestamp.

1.2 User-Generated Content

The Service is built around the content you create. We store:

• Short link destinations — the original long URLs you shorten, together with any custom alias, title, scheduling dates, and expiry settings you configure.
• Bio page data — your bio page username, display name, description, theme choice, social profile URLs, and all link blocks you add to your page.
• QR code settings — the destination URL, visual configuration (colours, pattern, logo), and the generated QR image file stored under your account.
• Custom domain settings — any branded domain you connect to the Service, stored solely to route traffic correctly.

You retain full ownership of all content you create. We do not claim any intellectual property rights over your links, bio pages, or QR codes.

1.3 Visitor Analytics & Tracking Data

When a third party clicks one of your short links, scans one of your QR codes, or visits your bio page, Linkly automatically records the following data points for the purpose of providing you with click analytics:

• Anonymised IP address — we derive the visitor's country and approximate region from the IP address, then discard the raw IP. We do not store full IP addresses in our analytics tables.
• Country & city — derived from the anonymised IP via a geo-IP lookup.
• Device type — desktop, mobile, or tablet, parsed from the browser's User-Agent string. We do not store the full User-Agent string.
• Referrer domain — the website that sent the visitor to your link (e.g. instagram.com, google.com), if one is present in the HTTP request. Full referrer paths are not stored.
• Timestamp — the date and time of the click in UTC.

This analytics data is attributed to your account as the link owner. It is not sold to, or shared with, any advertising network or data broker.

1.4 Technical & Log Data

Our servers automatically collect standard web server logs including your IP address, browser type, pages visited within our dashboard, and error events. These logs are used solely for security monitoring, fraud prevention, and debugging, and are purged on a rolling 30-day cycle.

2. How We Use Your Data

We use the data we collect for the following purposes and under the following legal bases:

Purpose	Legal Basis (GDPR)
Creating and managing your account	Contract performance
Providing the short link, bio page, and QR code features	Contract performance
Displaying click analytics to you in your dashboard	Contract performance / Legitimate interest
Sending transactional emails (welcome, billing receipts, password resets)	Contract performance
Sending service announcements (outages, policy changes)	Legitimate interest
Fraud detection and platform security	Legitimate interest
Complying with legal obligations	Legal obligation

We do not use your data for behavioural advertising, do not sell your data to any third party, and do not build advertising profiles from your usage.

3. Cookies & Tracking

Linkly uses a minimal, privacy-respecting cookie strategy. We do not use third-party advertising cookies or cross-site tracking pixels.

3.1 Strictly Necessary Cookies

These cookies are essential for the Service to function. They cannot be disabled.

• Session cookie (lnk_session) — Keeps you logged in across page loads. Expires when you close your browser or after 30 days of inactivity.
• CSRF token cookie (lnk_csrf) — A cryptographic token embedded in every form submission to protect against cross-site request forgery attacks. Session-scoped.

3.2 Functional Cookies

• Theme preference (lnk_theme) — Stores whether you prefer dark or light mode. Expires after 365 days. No personal data is stored.

3.3 Analytics

We do not use Google Analytics, Facebook Pixel, or any third-party analytics script on our marketing pages or dashboard. All usage analytics are computed from our own server-side logs using the anonymised data described in Section 1.4.

3.4 Managing Cookies

You can instruct your browser to refuse or delete cookies at any time. Note that disabling the session cookie will prevent you from staying logged in.

4. Link & QR Analytics

The analytics feature is the core value proposition of Linkly. Here is precisely what happens when someone clicks your link:

1. The visitor's browser sends an HTTP request to our redirect server.
2. We extract the country (from a geo-IP lookup), device type, and referrer domain from the request.
3. The raw IP address and full User-Agent string are not written to any database. Only the derived, non-personally-identifiable attributes (country, device type, referrer domain) are stored alongside the click timestamp.
4. The visitor is immediately redirected to your destination URL — typically in under 50 ms.

Because we do not store raw IP addresses in our analytics tables, individual visitor re-identification from analytics data alone is not technically possible.

As the link owner, you are the data controller for your bio page visitors' analytics data. By publishing links through Linkly, you acknowledge this responsibility. If your audience is based in the EU, you may wish to disclose the use of click tracking in your own privacy notice.

5. Data Sharing & Third Parties

We do not sell your personal data. We share it only in the following limited circumstances:

• Infrastructure providers — Our hosting, database, and CDN providers process data on our behalf under Data Processing Agreements that meet GDPR standards.
• Payment processors — If you subscribe to a paid plan, payment details are handled directly by Razorpay or Stripe. We never see or store your full card number. Their privacy policies govern how they handle your payment data.
• Email delivery — Transactional emails (password resets, billing receipts) are sent via an SMTP provider. Only your email address and the content of the email are shared for this purpose.
• Legal requirements — We may disclose your data if required by a valid court order, subpoena, or applicable law. We will notify you where legally permitted to do so.
• Business transfers — In the event of a merger, acquisition, or asset sale, your data may be transferred to the acquiring entity. We will provide notice before your data becomes subject to a different privacy policy.

6. Data Retention

• Account data — Retained for as long as your account is active. Upon account deletion, all account data is permanently erased within 30 days.
• Links, bio pages, QR codes — Deleted immediately upon your request or account deletion. Short link codes are then released back into our pool after a 90-day grace period to prevent URL hijacking.
• Analytics data — Retained for up to 24 months on paid plans and 6 months on free plans, then automatically purged. You can export your analytics data from the dashboard at any time.
• Server logs — Purged on a rolling 30-day cycle.
• Billing records — Retained for 7 years to comply with financial and tax regulations, even after account deletion.

7. Your Rights

7.1 GDPR Rights (EEA & UK Residents)

If you are located in the European Economic Area or United Kingdom, you have the following rights under GDPR:

• Right of access — Request a copy of all personal data we hold about you.
• Right to rectification — Correct inaccurate or incomplete data via your Account Settings at any time.
• Right to erasure ("right to be forgotten") — Delete your account and all associated data by navigating to Settings → Delete Account. We will permanently erase your data within 30 days.
• Right to restriction — Request that we limit processing of your data in certain circumstances.
• Right to data portability — Request a machine-readable export of your links and analytics data.
• Right to object — Object to processing based on our legitimate interests.
• Right to withdraw consent — Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email us at [email protected] with the subject line "GDPR Data Request". We will respond within 30 days.

7.2 CCPA Rights (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

• Right to know — Request disclosure of what personal information we collect, use, disclose, and sell (we do not sell personal information).
• Right to delete — Request deletion of your personal information, subject to certain exceptions.
• Right to opt-out of sale — We do not sell personal information. No opt-out is required.
• Right to non-discrimination — We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, email [email protected] with "CCPA Request" in the subject line. We will verify your identity before processing the request.

8. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

• All data in transit is encrypted using TLS 1.2 or higher.
• Passwords are hashed using a modern, salted one-way algorithm (bcrypt).
• Database access is restricted to application-level credentials; no public database endpoints are exposed.
• CSRF tokens protect all state-changing form submissions.
• Regular security reviews and dependency updates.

No system is perfectly secure. In the event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR.

9. International Data Transfers

Your data may be processed in countries outside your own, including the United States. Where we transfer personal data from the EEA or UK to a third country, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or transfers to countries with an adequacy decision.

10. Children's Privacy

The Service is not directed at children under the age of 13 (or 16 in certain EU member states). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at [email protected] and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where the changes are significant, notify you by email or via a prominent notice in the dashboard. Your continued use of the Service after the effective date of the revised policy constitutes your acceptance of the changes.

12. Contact Us

For any privacy-related questions, data subject requests, or concerns, please contact our team:

If you are located in the EU and are not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority.