Privacy Policy

1. Introduction

At Lenklyst (“we,” “us,” or “our”), we are committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use Lenklyst.com and its services (the “Platform”).

This policy complies with the General Data Protection Regulation (GDPR) (EU), the California Consumer Privacy Act (CCPA) (USA), and the Digital Personal Data Protection Act (DPDP Act, 2023) (India).

2. Information We Collect

We collect the following categories of data:

2.1 Account Information (Provided by You)

• Identity Data: Name, email address, and username, provided via Clerk authentication.
• Profile Data: Avatar, bio, website URL, and social links you choose to add.
• Content Data: Links you shorten, bio pages, QR codes, forms, and storefront products you create.

2.2 Automatically Collected Data

• Click Analytics: Anonymized IP address (last octet truncated), device type, country, city (derived from IP), browser user agent, referrer URL, and UTM parameters.
• Browser Fingerprint: A SHA-256 hash derived from IP, user agent, language, and screen resolution — used solely for unique visitor counting and fraud detection. The raw data is not stored.
• Form Submission Metadata: Anonymized IP, device type, country, city, and referrer for form click analytics.

2.3 Transaction Data

• Storefront Purchases: Buyer email, purchase amount, currency, and product ID for order fulfillment.
• Payment Data: Processed securely by DodoPayments. We do not store credit card numbers.

2.4 Cookies & Local Storage

See our Cookie Policy for full details. We obtain consent before setting non-essential cookies.

3. Lawful Basis for Processing

Under GDPR, we process your data on the following legal bases:

• Contractual Necessity (Art. 6(1)(b)): Account data and link data are required to provide the service you signed up for.
• Legitimate Interest (Art. 6(1)(f)): Anonymized click analytics, fraud detection, and platform security. We have conducted a balancing test and concluded that these interests do not override your rights.
• Consent (Art. 6(1)(a)): Google Analytics, Vercel Analytics, and marketing/retargeting pixels are only loaded after you provide explicit consent via our cookie banner.
• Legal Obligation (Art. 6(1)(c)): Transaction records retained for tax and financial compliance.

4. How We Use Your Data

• Provide, maintain, and improve the Lenklyst platform.
• Generate analytics reports visible in your dashboard.
• Detect and prevent fraud, abuse, and bot traffic.
• Process storefront transactions and creator payouts.
• Send essential service notifications (security alerts, billing).
• Comply with legal obligations.

We do not sell your personal data. We do not use your data for automated decision-making or profiling.

5. Third-Party Services & Analytics

We use the following third-party services that may process your data:

Google Analytics uses cookies to track aggregated website usage behavior. This data is anonymized and collected only after you provide consent. You can opt out by adjusting your cookie preferences or installing the Google Analytics Opt-out Browser Add-on.

6. Data Retention

• Account Data: Retained until you delete your account.
• Click Analytics: Retained for 24 months from the date of collection, then automatically purged.
• Form Submissions: Retained until the form owner deletes them, or upon account deletion.
• Transaction Records: Retained for 7 years as required by financial regulations.
• Cookies: See our Cookie Policy for specific durations.

7. Your Rights

Depending on your location, you have the following rights:

Under GDPR (EU/EEA Residents)

• Right of Access (Art. 15): Request a copy of your personal data.
• Right to Rectification (Art. 16): Correct inaccurate data via your dashboard settings.
• Right to Erasure (Art. 17): Delete your account and all associated data from Settings → Security → Delete Account.
• Right to Data Portability (Art. 20): Export all your data in JSON format from Settings → Security → Export Data.
• Right to Object (Art. 21): Object to processing based on legitimate interest by contacting us.
• Right to Withdraw Consent: Withdraw cookie consent at any time by clearing your cookies or using our cookie banner settings.

Under CCPA (California Residents)

• Right to Know: What personal information we collect about you (see Section 2).
• Right to Delete: Request deletion of your personal information.
• Right to Opt-Out: We do not sell your personal information. If this changes, we will provide a “Do Not Sell My Personal Information” link.
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights.

Under DPDP Act (Indian Residents)

• Right to Access: Access information about the personal data we process.
• Right to Correction & Erasure: Correct or delete your personal data.
• Right to Grievance Redressal: Contact our Grievance Officer (see Section 12).
• Right to Nominate: Nominate an individual to exercise your rights in case of death or incapacity.

8. Children's Privacy

Lenklyst is not intended for children. We do not knowingly collect data from:

• Users under 13 years of age (COPPA / CCPA — United States)
• Users under 16 years of age (GDPR — European Union)
• Users under 18 years of age without verifiable parental consent (DPDP Act — India)

If we discover that we have collected data from a minor without appropriate consent, we will delete it promptly. If you believe a minor has provided us with personal data, please contact us at legal@lenklyst.com.

9. Cross-Border Data Transfers

Your data may be processed and stored in the United States and the European Union, depending on the infrastructure used by our subprocessors (Supabase, Clerk, Vercel). Where data is transferred outside your jurisdiction, we ensure adequate safeguards are in place in accordance with applicable law.

10. Data Security

• All data in transit is encrypted using HTTPS (TLS 1.3).
• All data at rest is encrypted by our database provider (Supabase/AWS).
• Authentication is handled by Clerk with industry-standard security (bcrypt hashing, MFA support).
• Database access is protected by Row Level Security (RLS) policies.
• IP addresses are anonymized before storage (last octet truncated).
• Security headers (HSTS, X-Frame-Options, CSP, etc.) are applied to all responses.

11. Data Breach Notification

In the event of a data breach that poses a risk to your rights, we will:

• Notify the relevant supervisory authority within 72 hours (GDPR requirement).
• Notify affected users without undue delay, via the email on their account.
• Take immediate remedial action to contain and resolve the breach.

12. Do Not Sell My Information

We do not sell your personal information to third parties. We do not share your data for cross-context behavioral advertising. If you are a California resident, you have the right to know that we do not engage in the sale of personal information as defined by the CCPA.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or an in-app notice. The “Last Updated” date at the top will always reflect the latest revision.