Privacy Policy - LinkTaps

Effective Date: January 17, 2025 Last Updated: January 17, 2025

Introduction

LinkTaps ("we," "our," or "us") is a minimal link redirect service that operates on a privacy-first principle. We are committed to collecting only the minimum amount of data necessary to provide our service and comply with legal requirements.

This Privacy Policy explains what information we collect, how we use it, and your rights under the General Data Protection Regulation (GDPR) and other applicable privacy laws.

Our Commitment to Minimal Data Collection

LinkTaps is designed from the ground up to minimize data collection. We:

- Do NOT store email body content

Do NOT use non-essential cookies or tracking cookies

Do NOT store uploaded CSV files

Do NOT fingerprint users

Do NOT sell or share your data with third parties for marketing purposes
Data Controller
LinkTaps acts as the data controller for the personal data we collect through our service.
Contact Information:

Email: support@linktaps.io

1. Information We Collect

1.1 Information You Provide Directly

Account Information:

Email address (required for passwordless authentication)

Creator username/slug (optional, for custom branded short links on shared domain)

Custom domain names (optional, if you choose to use your own domain)
Link/Campaign Data:

Short link slugs (the custom path in your short URLs)

Destination URLs (where your short links redirect to)

iOS and Android deep link URLs (optional, for mobile app redirects)
Feedback and Support:

Messages you send through our feedback form

Associated campaign or URL context (if provided)
CSV Import Data:

Campaign data you upload via CSV (slugs, URLs, deep links)

Note: CSV files are processed in-memory and are NOT stored on our servers
1.2 Information Collected Automatically
Click Analytics (for your links):

When someone clicks on your short link, we collect:

Device type (mobile, desktop, tablet)

Operating system (iOS, Android, Windows, macOS, Linux)

Browser type

Whether the click came from an in-app browser

User agent string

HTTP referrer (the website they came from)

Country (derived from IP address via geolocation)

Timestamp of the click
IP Addresses:

We collect IP addresses for geolocation (to determine country) and security purposes

IP addresses are NOT stored long-term for analytics purposes

We do NOT track individual users across sessions using IP addresses
Web Analytics (Cloudflare Web Analytics):

We use Cloudflare Web Analytics to understand how our website (not your links) is used

Cloudflare Web Analytics does NOT use cookies

It collects: page views, referrer information, browser type, and country

Data is aggregated and anonymized

See Cloudflare's privacy policy: https://www.cloudflare.com/privacypolicy/
1.3 Cookies
We use only ONE cookie, which is strictly necessary for our service to function:
Session Cookie (connect.sid):

Purpose: Maintains your authenticated session after passwordless login

Type: Essential/Strictly Necessary (does NOT require consent under GDPR)

Duration: 30 days

Attributes: HttpOnly, Secure (HTTPS only in production), SameSite=Lax

Domain: linktaps.io
We do NOT use:

Marketing cookies

Advertising cookies

Social media tracking cookies

Third-party tracking cookies
Because we only use essential cookies, you will not see a cookie consent banner on our site.
1.4 Information We Do NOT Collect or Store
- Email body content - We use a metadata-only email logging system for SOC 2 and GDPR compliance. We store only: recipient email, subject line, email type, timestamp, and delivery status. We do NOT store login codes, magic link URLs, or message content.

Uploaded files - CSV files are processed in-memory and immediately discarded after processing

Passwords - We use passwordless authentication (magic links and login codes)

Payment information - Currently not collected (service is free)

Precise geolocation - We only derive country-level location from IP addresses
2. Legal Basis for Processing (GDPR)
We process your personal data under the following legal bases:
Data Type | Legal Basis | Purpose

|-----------|-------------|---------| Email address, account data | Contractual necessity | To provide you with the link redirect service you requested Click analytics data | Legitimate interests | To provide you with analytics about your links' performance Security logs, rate limiting | Legitimate interests | To protect our service from abuse and ensure security Email delivery metadata | Legal obligation | SOC 2 compliance and audit trail requirements IP address (geolocation) | Legitimate interests | To provide country-level analytics for your campaigns Cloudflare Web Analytics | Legitimate interests | To improve our website and service

3. How We Use Your Information

We use the collected information for the following purposes:

3.1 Service Delivery

Authenticate you into your account (via email-based magic links/codes)

Create and manage your short links and campaigns

Redirect visitors who click your links to the appropriate destination

Provide analytics about link performance (clicks, devices, locations, etc.)

Send transactional emails (login codes, domain verification, alerts)
3.2 Service Improvement

Analyze aggregated usage patterns to improve our service

Monitor service performance and reliability

Troubleshoot technical issues
3.3 Security and Compliance

Prevent fraud, abuse, and unauthorized access

Enforce our Terms of Service

Comply with legal obligations (SOC 2, GDPR, etc.)

Maintain audit logs for security incidents
3.4 Communication

Send you important service notifications (domain SSL certificate expiration, etc.)

Respond to your support requests and feedback

Send occasional product updates (you can opt out)
4. Data Retention
We retain your personal data only as long as necessary for the purposes outlined in this policy:
Data Type | Retention Period | Reason

|-----------|------------------|--------| Account information | Until account deletion | Service provision Campaign/link data | Until you delete the campaign or account | Service provision Click analytics | Indefinitely (aggregated) | Analytics and service improvement Email audit metadata | 7 years | SOC 2 compliance, legal requirements Security logs | 90 days | Security monitoring and incident response Rate limit counters | 1-24 hours (rolling windows) | Abuse prevention Session cookies | 30 days or logout | Authentication Inactive accounts | May be deleted after 2 years of inactivity | Data minimization

You can request deletion of your data at any time by contacting us or deleting your account.

5. Data Sharing and Disclosure

We do NOT sell your personal data to third parties.

We may share your information only in the following limited circumstances:

5.1 Service Providers (Data Processors)

We use the following third-party service providers who process data on our behalf:

Provider | Purpose | Data Shared | Location |----------|---------|-------------|----------| Convex | Database hosting | All account and campaign data | United States Amazon Web Services (AWS SES) | Email delivery | Email addresses, metadata | United States Cloudflare | Web analytics, CDN, DDoS protection | IP addresses, browsing data | Global Fly.io | Application hosting | HTTP request data | United States

All processors are contractually bound to protect your data in compliance with GDPR.

5.2 Legal Requirements

We may disclose your information if required by law, such as:

In response to valid legal process (subpoena, court order)

To protect our rights, property, or safety

To prevent fraud or security threats

To comply with regulatory obligations
5.3 Business Transfers
If LinkTaps is involved in a merger, acquisition, or sale of assets, your data may be transferred. You will be notified of any such change.
6. International Data Transfers
LinkTaps is operated from the United States. If you access our service from outside the United States, your data will be transferred to and processed in the United States.
For users in the European Economic Area (EEA), United Kingdom, or Switzerland:

We rely on adequacy decisions, Standard Contractual Clauses (SCCs), or other legally recognized transfer mechanisms

Our service providers (AWS, Cloudflare, Convex) comply with GDPR requirements
7. Your Rights Under GDPR
If you are located in the EEA, UK, or Switzerland, you have the following rights:
7.1 Right to Access

You can request a copy of the personal data we hold about you.

7.2 Right to Rectification

You can request correction of inaccurate or incomplete data.

7.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data by:

Deleting your account through the dashboard

Emailing us at support@linktaps.io
Note: Some data may be retained for legal compliance (e.g., email audit logs for SOC 2).
7.4 Right to Restriction of Processing

You can request that we limit how we use your data in certain circumstances.

7.5 Right to Data Portability

You can request a machine-readable copy of your data to transfer to another service.

7.6 Right to Object

You can object to processing based on legitimate interests (such as analytics).

7.7 Right to Withdraw Consent

Where we rely on consent, you can withdraw it at any time (though this doesn't apply to most of our processing, which is based on contract or legitimate interests).

7.8 Right to Lodge a Complaint

You can file a complaint with your local data protection authority (DPA) if you believe we have violated GDPR.

To exercise any of these rights, contact us at: support@linktaps.io

We will respond to your request within 30 days.

8. Security Measures

We implement industry-standard security measures to protect your data:

Technical Measures:

Encryption in transit: All data transmitted over HTTPS (TLS 1.2+)

Encryption at rest: Database encryption via Convex

Secure session management: HttpOnly, Secure, SameSite cookies

Rate limiting: Protection against brute force and abuse

Account lockouts: Automatic lockout after 10 failed login attempts (24 hours)

Email bounce tracking: Prevents sending to invalid/bounced addresses

Security logging: Comprehensive audit trail of security events
Organizational Measures:

Privacy by design and by default

Metadata-only email logging (no sensitive content stored)

Minimal data collection principle

Regular security monitoring

Access controls and authentication
However, no system is 100% secure. If you discover a security vulnerability, please report it to support@linktaps.io.
9. Children's Privacy
LinkTaps is not intended for children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal data from children. If we learn that we have collected data from a child without parental consent, we will delete it immediately.
If you believe a child has provided us with personal data, please contact us at support@linktaps.io.
10. Do Not Track (DNT)
Some browsers offer a "Do Not Track" (DNT) signal. Because there is no industry standard for DNT, we do not currently respond to DNT signals. However, we already minimize tracking by:

Using only essential cookies

Using cookie-less analytics (Cloudflare Web Analytics)

Not using third-party advertising or tracking scripts
11. California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to Know: What personal information we collect, use, and share

Right to Delete: Request deletion of your personal information

Right to Opt-Out: We do not sell personal information, so this right is not applicable

Right to Non-Discrimination: We will not discriminate against you for exercising your rights
To exercise these rights, contact us at support@linktaps.io.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will:

Update the "Last Updated" date at the top of this policy

Notify you via email (to the address on file)

Provide prominent notice on our website
Continued use of our service after changes constitute acceptance of the updated policy.
13. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Email: support@linktaps.io
Data Protection Inquiries: For GDPR-specific requests, please include "GDPR Request" in the subject line.
14. Key Takeaways (Summary)
For your convenience, here's a summary of our privacy-first approach:
✓ Minimal Data Collection: We collect only what's necessary to run a link redirect service
✓ No Cookie Banner: We use only essential authentication cookies
✓ No Email Content Storage: Only metadata is stored for compliance
✓ No File Storage: CSV imports are processed in-memory only
✓ No Data Selling: We never sell your data to third parties
✓ Cookieless Analytics: Cloudflare Web Analytics doesn't use cookies
✓ GDPR Compliant: Full user rights support (access, deletion, portability, etc.)
✓ SOC 2 Compliant: Metadata-only email logging and security audit trails
✓ Privacy by Design: Built with data minimization as a core principle
Thank you for trusting LinkTaps with your link management needs.

Introduction

Our Commitment to Minimal Data Collection

Data Controller

1. Information We Collect

1.1 Information You Provide Directly

1.2 Information Collected Automatically

1.3 Cookies

1.4 Information We Do NOT Collect or Store

2. Legal Basis for Processing (GDPR)

3. How We Use Your Information

3.1 Service Delivery

3.2 Service Improvement

3.3 Security and Compliance

3.4 Communication

4. Data Retention

5. Data Sharing and Disclosure

5.1 Service Providers (Data Processors)

5.2 Legal Requirements

5.3 Business Transfers

6. International Data Transfers

7. Your Rights Under GDPR

7.1 Right to Access

7.2 Right to Rectification

7.3 Right to Erasure ("Right to be Forgotten")

7.4 Right to Restriction of Processing

7.5 Right to Data Portability

7.6 Right to Object

7.7 Right to Withdraw Consent

7.8 Right to Lodge a Complaint

8. Security Measures

Technical Measures:

Organizational Measures:

9. Children's Privacy

10. Do Not Track (DNT)

11. California Privacy Rights (CCPA)

12. Changes to This Privacy Policy

13. Contact Us

14. Key Takeaways (Summary)