Privacy Policy

2. Data we collect

2.1 Account data

When you create an account we collect:

• Email address
• Password (securely encrypted — we never store plaintext passwords)
• Username

2.2 Profile data

You may optionally provide:

• Display name
• Bio (up to 160 characters)
• Avatar image
• Background image
• Theme and custom colour preferences

2.3 Links

Links you add to your profile (URL, label, position) are stored in our database and displayed publicly on your profile page.

2.4 Analytics data

We collect basic, anonymous analytics to show you how your profile performs:

• Profile views — a timestamp is recorded each time someone visits your public profile. No visitor identity is stored.
• Link clicks — when a visitor clicks one of your links, we record the link ID, a timestamp, and the HTTP referrer header (if present). No visitor identity is stored.
• Enhanced analytics (paid tiers)— for users on paid plans, we additionally derive the visitor's countryfrom IP-based geolocation headers provided by our infrastructure provider (Cloudflare). We store only the two-letter country code (e.g. "DE"), never the IP address itself. We also derive device type (desktop, mobile, tablet), browser name, and operating systemfrom the User-Agent HTTP header. We also derive the visitor's preferredlanguagefrom the Accept-Language header (primary language code only, e.g. "en"). A short-lived anonymous session cookie("lynkli_sid", 30-minute expiry) is set to compute aggregate session metrics such as bounce rate and session depth. This cookie contains a random identifier only — no personal data. It is not used for cross-site tracking. All enriched data is available only to the profile owner for usage statistics. No visitor identity is stored.

2.5 Saved links

If you bookmark another user's link, we store a reference linking your account to that link along with a timestamp.

2.6 Cookies

We use the following cookies:

• Authentication cookies (set by Supabase Auth) — strictly necessary to keep you signed in. These are HttpOnly session cookies.
• Click de-duplication cookie (lc_*) — a short-lived cookie (30 seconds, HttpOnly) set when you click a link to prevent the same click from being counted twice. It contains no personal data.

We do not use any advertising, analytics, or tracking cookies. We do not use Google Analytics, Facebook Pixel, or any similar third-party tracking service.

3. Legal basis for processing

We process your data on the following legal bases (GDPR Art. 6):

• Contract performance (Art. 6(1)(b)) — processing necessary to provide the service you signed up for (account, profile, links).
• Legitimate interest (Art. 6(1)(f)) — anonymous analytics (profile views, link clicks) to provide you with usage statistics.
• Consent (Art. 6(1)(a)) — where you explicitly agree, such as accepting our Terms and Privacy Policy at sign-up.

4. Third-party processors

4.1 Supabase

We use Supabase (Supabase Inc.) for authentication, database, and file storage. Supabase processes your data on our behalf as a data processor. See supabase.com/privacy for their privacy policy.

4.2 SightEngine (content moderation)

When you upload an avatar or background image, the image is sent to SightEngine (SightEngine SAS, France) for automated content moderation. SightEngine checks the image for prohibited content (nudity, violence, self-harm) and returns a safety score. SightEngine does not retain your images after processing. See sightengine.com/policies/privacy for their privacy policy.

4.3 Discord (optional)

If you choose to sign in with Discord, Discord Inc. shares your email address and basic profile data with us as part of the OAuth flow. We only use this to create or link your Lynkli account. See Discord's privacy policy for details.

4.4 Google Favicon API

We use Google's public Favicon API to display website icons next to your links. This sends only the domain name of each link to Google — no personal data is included.

5. Data retention

• Account and profile data is retained for as long as your account is active.
• When you delete your account, your personal data is anonymised immediately. The anonymised record is permanently purged after 30 days.
• Uploaded images (avatar, background) are deleted immediately upon account deletion.
• Analytics data (profile views, link clicks) associated with your profile is deleted when the 30-day purge runs.

6. Your rights

Under the GDPR you have the right to:

• Access — request a copy of all personal data we hold about you. You can export your data from your dashboard.
• Rectification — correct inaccurate data via your profile settings.
• Erasure — delete your account from your profile settings. Data is anonymised immediately and permanently purged after 30 days.
• Data portability — export your data in a machine-readable JSON format from your profile settings.
• Restriction / objection — contact us at privacy@lynkli.io to restrict or object to specific processing.
• Withdraw consent — you may withdraw consent at any time by deleting your account or contacting us.
• Lodge a complaint — you have the right to lodge a complaint with your local data protection authority.

7. Data transfers

Your data is stored within the European Union. Where data is transferred to processors outside the EU (e.g. Discord in the US), we rely on Standard Contractual Clauses or equivalent safeguards as required by GDPR Chapter V.

8. Security

We implement appropriate technical and organisational measures to protect your data, including: encrypted connections (HTTPS/TLS), row-level security on our database, Content Security Policy headers, HttpOnly authentication cookies, and automated content moderation for uploaded images.

9. Changes to this policy

We may update this privacy policy from time to time. Material changes will be communicated via a notice on the website. The "Last updated" date at the top reflects the most recent revision.