TL;DR
- Linkzly provides GDPR-aware privacy features including consent management, jurisdiction-aware rules, and full data deletion capabilities.
- You have full rights: access, rectification, erasure, restriction, portability, and objection — all exercisable via dpo@linkzly.com.
- We offer privacy-compliant attribution modes: strict, consent-based, and privacy-preserving to match your compliance needs.
- Data transfers outside the EEA are protected by Standard Contractual Clauses (SCCs) and Data Processing Agreements.
- Response time for all GDPR requests: within 30 days. Contact our DPO at dpo@linkzly.com.
Overview
Linkzly provides GDPR-aware privacy features built into our MMP platform. Our privacy compliance service includes consent management, GDPR consent handling, CCPA opt-out support, and jurisdiction-aware privacy rules. Our gaming module also supports full GDPR data deletion workflows.
This page outlines your rights under the GDPR, the data we collect, our legal basis for processing, and how you can exercise your rights. For our full privacy practices, please refer to our Privacy Policy.
Your GDPR Rights
Right to Access
Request a copy of all personal data we hold about you, including attribution analytics, user profiles, and activity logs.
Right to Rectification
Request correction of inaccurate or incomplete personal data in your account settings or organization details.
Right to Erasure
Request deletion of your personal data, including all links, analytics data, app configurations, and account information.
Right to Restriction
Request limitation of processing your personal data while we verify accuracy or process your objections.
Right to Portability
Receive your personal data in a structured, machine-readable format (JSON/CSV) for transfer to another service.
Right to Object
Object to processing of your personal data for direct marketing, analytics, or other legitimate interests.
Data We Collect & Process
Account Data
- Email address, name, and profile information
- Organization details and team membership
- Authentication credentials (bcrypt-hashed passwords, 2FA/TOTP settings with backup codes)
- API keys and webhook configurations
Link & Attribution Data
- deep links, custom short codes, QR codes, and destination URLs
- Click data: timestamps, IP addresses, user agents, referrer information
- Geolocation data (city/country level, derived from IP via MaxMind/DB-IP)
- Device and browser information for attribution
- Mobile app attribution data (SDK events, install tracking, deep link opens)
- UTM parameters, campaign tracking, and bot detection signals
Technical Data
- Activity logs and audit trails (retained for 90 days)
- API usage logs (endpoint, method, status, response time, IP)
- Session data (tokens, user agent, device fingerprint, geo data)
- Payment and subscription information (via Stripe)
Legal Basis for Processing
Contract Performance
Processing necessary to provide our MMP platform services, including attribution analytics, deep linking, and app distribution, as outlined in our Terms of Service.
Legitimate Interests
Analytics processing to improve service quality, prevent fraud through bot detection and rate limiting, and ensure platform security via risk scoring.
Consent
Marketing communications and optional features (which you can opt out of at any time via account settings).
Legal Obligation
Compliance with applicable laws, regulations, and legal processes including data retention requirements.
Data Retention Policy
Analytics Data Retention by Plan
Free
30 days
Starter
90 days
Professional
365 days
Enterprise
Unlimited
- Account Data: Retained while active, deleted within 30 days of deletion request
- Activity Logs: Audit trails retained for 90 days (DynamoDB TTL)
- Sessions: Cleaned every 4 hours
- Expired Tokens: Daily cleanup at 3:00 AM UTC
- Backup Data: Encrypted backups retained for 30 days, then permanently deleted
- Legal Holds: Data may be retained longer if required by law or legal proceedings
Security & Protection Measures
Encryption
- AES-256-GCM encryption for sensitive data at rest
- TLS encryption in transit via AWS/Cloudflare
- Encrypted database backups via Supabase
Access Controls
- Role-based access control (RBAC)
- 2FA/TOTP with backup codes
- API key authentication with IP restrictions
Authentication
- Bcrypt password hashing
- JWT token system with rotation
- Account lockout after failed attempts
Monitoring
- Security event monitoring with risk scoring
- Multi-tier rate limiting
- Automated threat detection and incident response
International Data Transfers
Linkzly operates globally and may transfer your personal data to countries outside the European Economic Area (EEA). We ensure appropriate safeguards are in place:
EU-approved data transfer agreements with all third-party processors
Data transfers to countries with EU-recognized adequate protection levels
Binding agreements with all sub-processors ensuring GDPR compliance
Third-Party Data Processors
We work with the following categories of third-party processors:
Cloud Infrastructure
AWS
Hosting, storage, and compute
Database Hosting
Supabase
PostgreSQL database
CDN & Edge
Cloudflare
CDN, Workers, and edge computing
Payment Processing
Stripe
Subscription and billing
Geolocation
MaxMind / DB-IP
IP-based geolocation for attribution
Email Services
SMTP / Nodemailer
Transactional emails
- SendGrid — email delivery (if configured by your account)
- Sentry — error tracking and performance monitoring (if configured)
- Google Ads, Meta Ads, Snapchat Ads — only when you enable ad network integrations
Privacy-Compliant Attribution Modes
Linkzly offers three privacy-compliant attribution modes to match your compliance requirements:
Strict Mode
Minimal data collection with no probabilistic methods. Only deterministic attribution via install referrers and direct SDK events. Ideal for maximum privacy compliance.
Consent-Based Mode
Full attribution capabilities activated only after explicit user consent is obtained. Integrates with our consent management service for jurisdiction-aware handling.
Privacy-Preserving Mode
Balanced approach using aggregated and anonymized signals. Maintains attribution accuracy while minimizing personal data exposure. Supports SKAdNetwork for iOS.
Exercise Your Rights
To exercise any of your GDPR rights or if you have questions about how we process your data, please contact our Data Protection Officer:
Right to Lodge a Complaint
If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority. For EU residents, you can find your authority at edpb.europa.eu.
This GDPR compliance page is regularly reviewed and updated to reflect our current practices.