Legal
Data Processing Addendum
This addendum supplements our Terms of Service and Privacy Policy. It applies whenever Xpolink processes personal data on behalf of a customer.
1. Roles and definitions
For the purposes of the GDPR and UK GDPR, the Customer is the Controller and Xpolink is the Processor. Terms such as "personal data", "processing", "data subject", "supervisory authority", and "Standard Contractual Clauses" have the meanings set out in the GDPR.
2. Subject matter, duration, and purpose
Xpolink processes personal data to provide its short-link, analytics, domain management, and customer support services. Processing continues for the duration of the Customer's subscription and for a reasonable period afterwards to satisfy legal, audit, and security obligations.
3. Categories of data subjects and data
- Account data — email, name, authentication identifiers for Customer users (admins, team members).
- Link metadata — destination URLs, titles, slugs, schedules, geo-routing rules, and captured visitor emails where the Customer has enabled email-gate features.
- Click analytics — country, city (Pro+), device class, browser, OS, referring domain, and timestamp for each short-link click.
- Billing metadata — Stripe customer and subscription identifiers (payment card data is held by Stripe, not Xpolink).
4. Xpolink obligations
- Process personal data only on documented Customer instructions.
- Ensure personnel authorised to access personal data are bound by confidentiality.
- Implement appropriate technical and organisational measures, including encryption in transit, least-privilege access to production systems, audit logging, and platform-level HTTP security headers.
- Assist the Customer in responding to data-subject requests and in meeting Articles 32–36 obligations (security, breach notification, DPIAs).
- Notify the Customer without undue delay after becoming aware of a personal data breach.
- Return or delete personal data at the end of the services on request.
5. Sub-processors
The Customer provides general authorisation for Xpolink to engage sub-processors. We will give reasonable notice of new sub-processors and offer the Customer an opportunity to object on reasonable grounds.
| Sub-processor | Purpose | Region | Safeguard |
|---|---|---|---|
| Vercel | Application hosting, CDN, edge compute | Global (US primary) | SCCs + Vercel DPA |
| Neon | Primary Postgres database | US / EU | SCCs + Neon DPA |
| Clerk | User authentication & session management | US | SCCs + Clerk DPA |
| Stripe | Subscription billing & payment processing | US / Global | SCCs + Stripe DPA |
| Elastic Email | Transactional email (invites, notifications) | US / EU | SCCs + Elastic Email DPA |
| Upstash | Redis cache & distributed rate limiting | Global (user-selected) | SCCs + Upstash DPA |
6. International transfers
Where personal data is transferred outside the EEA or UK, the transfer is covered by the EU Standard Contractual Clauses (2021/914) and, where applicable, the UK International Data Transfer Addendum. Each sub-processor listed above has signed a DPA with Xpolink or publishes one on its own terms.
7. Security measures
See our Security page for a summary of the technical and organisational measures Xpolink applies.
8. Breach notification
Xpolink will notify affected Customers of a personal data breach within 72 hours of becoming aware of it, in line with Article 33. The notification will describe the nature of the breach, data categories affected, likely consequences, and remediation steps.
9. Contact
Questions about this DPA, or to request a counter-signed copy, email privacy@xpolink.app.
Last updated: 2026-04-17.