We are actively working toward full GDPR compliance. This policy reflects our current practices and implemented features. A formal legal review is in progress. If you have any questions or requests in the meantime, please contact us at
https://linkembed.io/contact.
1. Introduction
This Privacy Policy describes how we collect, use, store, and protect information when you use our service.
2. Information We Collect
2.1 Account Information
- Email address (required for account creation and authentication)
- Name (provided during signup)
- Password (hashed and stored securely, never accessible in plain text)
2.2 Workspace and Content Data
- Workspace names, slugs, and settings
- Links, folders, and their associated metadata (titles, slugs, embed codes, redirect URLs)
- Custom domain configurations
- Workspace member relationships and roles
- Password-protected link passwords (hashed, never stored in plain text)
2.3 Analytics Data
We collect analytics data to help you understand how your links are being used. This includes:
- Event type (view or redirect)
- Link and workspace identifiers
- Request hostname (domain and subdomain)
- Referrer hostname only (not full URLs)
- UTM parameters (source, medium, campaign, term, content) when present
- Country code (when available from edge headers)
- Device type, browser name, and operating system
- Hashed visitor identifier (HMAC of IP address + User-Agent; no raw IP addresses are stored)
Important: We do not store raw IP addresses. Visitor identifiers are hashed server-side using a secret key and cannot be reversed to identify individual users.
3. How We Use Your Information
- To provide, maintain, and improve our service
- To authenticate users and manage access to workspaces
- To display and serve your embedded content and redirect links
- To generate analytics reports for your links
- To enforce password protection on links when configured
- To verify custom domain ownership
- To send account-related emails (confirmation, password reset, etc.)
- To detect and prevent fraud, abuse, and security threats
- To comply with legal obligations
4. Legal Basis for Processing (GDPR Art. 6)
If you are located in the EU/EEA (or where similar legal requirements apply), we process personal data under the following legal bases:
| Processing activity | Legal basis |
|---|
| Account registration and authentication | Performance of a contract (Art. 6(1)(b)) |
| Workspaces, links, folders, and custom domains (service functionality) | Performance of a contract (Art. 6(1)(b)) |
| Account-related emails (e.g., password reset, email confirmation) | Performance of a contract (Art. 6(1)(b)) |
| Security, fraud prevention, and abuse detection | Legitimate interests (Art. 6(1)(f)) — protecting the security and integrity of the platform |
| Analytics (visitor tracking on embedded links and redirects) | Legitimate interests (Art. 6(1)(f)) — providing analytics and improving the service (we use a hashed visitor identifier and do not store raw IP addresses) |
| Legal compliance and responding to legal requests | Legal obligation (Art. 6(1)(c)) |
5. Data Storage and Security
We take reasonable measures to protect your data. Your data is stored securely using industry-standard encryption and security practices. We use secure communication protocols (HTTPS) for all data transmission.
Data Retention
- Account data: Retained until account deletion
- Analytics events: Raw events retained for 90 days, aggregated data retained longer
- Deleted links and folders: Removed immediately upon deletion
6. Data Sharing and Third-Party Services
6.1 Third-Party Services
We use the following third-party services to operate our platform:
- Supabase: Database, authentication, and backend infrastructure. See Supabase Privacy Policy
- Vercel: Hosting and deployment platform (if custom domains are configured). See Vercel Privacy Policy
6.2 Data Sharing
We do not sell, rent, or trade your personal information. We only share data:
- With third-party service providers (listed above) necessary to operate our service
- When required by law or to protect our rights and safety
- With your explicit consent
7. Your Rights and Choices
You have the following rights regarding your data:
- Access: View and export your data through the dashboard
- Modification: Update your account information and content at any time
- Right to erasure (account deletion): You can permanently delete your account and all associated data (workspaces, links, folders, custom domains, and analytics) directly from your dashboard under Settings → Delete Account. This action is irreversible and requires confirmation. You may also request deletion by contacting us via our contact page at https://linkembed.io/contact.
- Right to data portability / access: You can download a copy of all data we hold on your account at any time from Settings → Download My Data (GDPR). The export is delivered as a plain-text file and includes your account details, workspaces, links, folders, custom domains, analytics summary, and more. This feature is available once every 3 days.
- Export: Export analytics data in JSON or HTML format
- Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. If you are located in Israel, you may contact the Privacy Protection Authority (PPA) at https://www.gov.il/en/departments/the_privacy_protection_authority. If you are located in the EU/EEA, you may contact the supervisory authority in your country of residence or place of work. A list of EU/EEA supervisory authorities is available at https://www.edpb.europa.eu/about-edpb/about-edpb/members_en.
- Opt-out: Disable analytics tracking (contact us at https://linkembed.io/contact)
8. Cookies and Tracking
We use cookies and similar technologies for:
- Authentication and session management (required for service functionality)
- Password-protected link access tokens (signed cookies for security)
- Analytics tracking (hashed identifiers, no personal information)
You can control cookies through your browser settings, though this may affect service functionality.
9. Children's Privacy
Our service is not intended for users under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.
Third-Party Content
Our service allows you to embed content from third-party services. When you embed third-party content:
- You are responsible for ensuring you have the right to share that content
- Third-party services are responsible for their own content and data
- We do not access, store, or process third-party content data through their APIs
- Embedded content is rendered directly by the third-party service
We are responsible only for data we collect directly (account information, workspace data, analytics) and comply with applicable privacy laws for data under our control.