Privacy Policy
Last updated: 13 April 2026
Xpolink ("we", "us", "our") operates the xpolink.app website and related services. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.
1. Information We Collect
1.1 Account Information
When you create an account, we collect:
- Email address
- Name (if provided)
- Profile picture (if provided via your authentication provider)
Authentication is handled by Clerk, a third-party identity provider. We do not store passwords. Please refer to Clerk's Privacy Policy for details on how they handle authentication data.
1.2 Link Data
When you create short links, we store:
- The original (destination) URL
- The short code and domain used
- Any title or metadata you provide
- Configuration settings (e.g. password protection, scheduling, geo-routing rules)
1.3 Click Analytics Data
When someone clicks a short link, we automatically collect:
- Approximate geographic location (country, city, region) derived from the visitor's IP address
- Device type (mobile, tablet, desktop)
- Browser and operating system
- Referring website URL
- UTM parameters from the referring URL
- Date and time of the click
We do notstore the visitor's raw IP address. Geographic data is derived from IP headers provided by our hosting infrastructure (Vercel) and only the country, city, and region are recorded.
1.4 Email Gate Data
If a link creator enables the email gate feature (Business plan), we collect email addresses submitted by visitors. These emails are stored on behalf of the link creator and are visible to them in their dashboard. Visitors are informed that their email will be shared with the link creator before submission.
1.5 Payment Information
Payments are processed by Stripe. We do not store credit card numbers or bank details. We retain your Stripe customer ID to manage your subscription. See Stripe's Privacy Policy for details.
2. How We Use Your Data
We use collected data to:
- Provide and operate the Xpolink service (link creation, redirection, analytics)
- Display analytics dashboards to link creators
- Enforce plan limits and feature access
- Send transactional emails (domain verification, team invites, email gate notifications)
- Detect and prevent abuse, fraud, and security threats
- Improve and maintain the service
We do not sell your personal data to third parties. We do not use your data for advertising purposes.
3. Data Sharing
We share data only with the following categories of recipients:
- Infrastructure providers — Vercel (hosting), Neon (database), Clerk (authentication), Stripe (payments), Elastic Email (transactional email)
- Your team members — other members of your Xpolink team can see links, analytics, and settings
- Link visitors — click analytics are shown to the link creator, not to other visitors
- Law enforcement — when required by law, subpoena, or court order
4. Data Retention
- Account data — retained for the lifetime of your account
- Link data — retained for the lifetime of your account
- Click analytics — retained according to your plan (Free: 7 days, Pro: 90 days, Business: 365 days). Older data is automatically deleted.
- Captured emails — retained for the lifetime of the link or until the link creator deletes them
When you delete your account, all associated data (links, analytics, domains, team data) is permanently deleted within 30 days.
5. Lawful Basis for Processing (GDPR)
Under the General Data Protection Regulation (GDPR), we process personal data on the following legal bases:
- Contract performance — processing necessary to provide the Service you signed up for (account management, link creation, analytics display, billing)
- Legitimate interest — processing necessary for our legitimate business interests where those interests are not overridden by your rights (click analytics aggregation, abuse detection, service improvement)
- Consent — where you have given explicit consent (email gate submissions by link visitors, optional email notifications)
- Legal obligation — processing necessary to comply with a legal obligation (responding to law enforcement requests, tax record keeping)
You may withdraw consent at any time by contacting us. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
6. Your Rights Under GDPR
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the GDPR:
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — request correction of inaccurate or incomplete data
- Right to erasure ("right to be forgotten") — request deletion of your personal data, subject to legal retention requirements
- Right to restrict processing — request that we limit how we use your data
- Right to data portability — receive your data in a structured, machine-readable format (JSON or CSV)
- Right to object — object to processing based on legitimate interest, including profiling
- Right to withdraw consent — withdraw previously given consent at any time
- Right to lodge a complaint — file a complaint with your local data protection authority
We will respond to all GDPR requests within 30 days. To exercise any of these rights, contact us at privacy@xpolink.app.
7. Your Rights Under CCPA
If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with the following rights:
- Right to know — request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of collection, the purposes, and the categories of third parties with whom we share it
- Right to delete — request deletion of your personal information, subject to certain exceptions
- Right to correct — request correction of inaccurate personal information
- Right to opt out of sale or sharing — see below
- Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights
Do Not Sell or Share My Personal Information
Xpolink does not sell your personal information. We do not sell, rent, or trade personal data to third parties for monetary or other valuable consideration. We do not share personal information for cross-context behavioural advertising.
Because we do not sell or share personal information as defined by the CCPA/CPRA, there is no need to opt out. However, if you have questions or concerns, you may contact us at privacy@xpolink.app.
Categories of Personal Information Collected
Under CCPA categories, we collect:
| CCPA Category | Examples | Sold? |
|---|---|---|
| Identifiers | Email address, name, account ID | No |
| Internet or network activity | Click events, referrer URLs, device/browser info | No |
| Geolocation data | Country, city, region (approximate, derived from IP) | No |
| Commercial information | Subscription plan, payment history (via Stripe) | No |
We will respond to verified CCPA requests within 45 days. To submit a request, contact privacy@xpolink.app.
8. Sub-Processors and International Data Transfers
We use the following sub-processors to operate the Service. Data Processing Agreements (DPAs) are in place with each provider:
| Provider | Purpose | Location |
|---|---|---|
| Vercel | Hosting, serverless functions, edge network | United States (global edge) |
| Neon | PostgreSQL database | United States (us-east-1) |
| Clerk | Authentication and identity management | United States |
| Stripe | Payment processing and subscription billing | United States |
| Elastic Email | Transactional email delivery | Canada / United States |
Data may be transferred to and processed in the United States and other countries where our sub-processors operate. These transfers are safeguarded by Standard Contractual Clauses (SCCs) and/or the sub-processor's compliance with applicable data protection frameworks.
9. Cookies
We use the following cookies:
- Authentication cookies — managed by Clerk to keep you signed in
- Sidebar preference — stores whether the dashboard sidebar is collapsed
- Interstitial gate cookies — short-lived (1 hour) cookies used to track whether a visitor has passed a password or email gate, so they don't need to re-enter on refresh
We do not use third-party tracking cookies, advertising cookies, or analytics cookies (e.g. Google Analytics).
10. Security
We take reasonable measures to protect your data:
- All data is transmitted over HTTPS/TLS
- Database connections use SSL
- Passwords for protected links are bcrypt-hashed (never stored in plaintext)
- API keys are stored as one-way hashes
- Interstitial gate tokens are HMAC-signed
11. Children
Xpolink is not intended for use by anyone under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
12. Data Breach Notification
In the event of a data breach that is likely to result in a risk to the rights and freedoms of individuals, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33
- Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms
- Document the breach, its effects, and the remedial actions taken
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on our website or sending an email. Your continued use of Xpolink after changes take effect constitutes acceptance of the updated policy.
14. Contact
For privacy-related inquiries, contact us at: privacy@xpolink.app
See also: Terms of Service