Privacy Policy

1. Who this policy applies to

This policy covers two types of users:

• Sellers: people who create an account and publish unlock links to sell digital content.
• Buyers: people who visit a public unlock link and pay to access content. Buyers do not need a linklck account.

2. Information we collect

2.1 Sellers

When you create an account we collect:

• Email address: provided via Firebase Authentication (email/password or Google sign-in).
• Display name: shown on your unlock pages so buyers know who created the content. Optional; you can leave it blank.
• The content you upload: text, URLs, markdown, or private links. This is stored in our database and only revealed to a buyer after a verified payment.
• Payment and earnings data: we record the amount earned per unlock, the platform fee taken, amounts held as reserve, and your running balance. We do not store your bank account or card details; your identity and bank/payout details are collected and held by Stripe Connect when you set up payouts (Stripe performs identity verification / KYC as required by law).

2.2 Buyers

When you purchase an unlock we collect:

• Email address: collected by Stripe during checkout. We receive it as part of the payment confirmation webhook so we can associate your purchase with your unlock token.
• IP address (hashed): your IP address is immediately hashed using SHA-256 with a unique per-deployment salt before we store it. We never store the raw IP. This hash is used only for abuse detection (e.g. detecting coordinated reporting campaigns).

We do not store your credit or debit card number, CVV, or billing address. All payment processing is handled by Stripe using a Stripe account owned and operated by Nexuf (nexuf.io). Their privacy policy is at stripe.com/privacy.

2.3 Abuse reports

If you submit an abuse report, we record the reason, any details you provide, and a hashed version of your IP address. We do not ask for or store your name or email when you file a report.

2.4 Automatically collected data

Our backend records standard server access logs (timestamp, HTTP method, URL, status code, response time). These logs do not contain paywalled content, unlock tokens, or raw IP addresses. Logs are retained for 30 days and then automatically deleted.

3. How we use your information

• To provide the service: authenticating sellers, storing content, processing unlock tokens, and crediting seller balances.
• To process payouts: your email and payout request details are used by our team when approving and sending manual payouts.
• To prevent abuse: hashed IPs and abuse reports are used to detect fraud, spam, and coordinated attacks. Links are automatically hidden after a threshold of reports from distinct IP ranges.
• To scan for malicious content: URLs submitted by sellers are checked against the Google Safe Browsing API. The URL is sent to Google for classification. Google's privacy policy applies to that call. We do not send the paywalled content itself.
• To communicate with you: we may email sellers regarding their account, payout status, or important policy changes. We do not send marketing email without your explicit consent.

4. Data sharing and third parties

We do not sell your personal data. We share data only with the following processors:

5. Cookies and local storage

We use browser localStorage to persist your unlock token after a successful payment so you can return to unlocked content without paying again. No third-party tracking cookies are set by linklck. Firebase Authentication may set a session cookie for authenticated sellers.

6. Data retention

• Seller accounts: retained while your account is active. When you request account deletion, your links are immediately hidden from buyers. Your profile, links, and link content are permanently deleted 7 days after the deletion request. Financial records (unlock history, payout records) are retained for 2 years for accounting and dispute purposes, with personal identifiers removed after deletion.
• Unlock records: retained for 2 years for accounting and dispute purposes, then anonymised.
• Abuse reports: retained for 1 year, then deleted.
• Server logs: 30 days, then automatically purged.

7. Your rights

Depending on your location you may have rights under the GDPR (EU/EEA), UK GDPR, or CCPA (California). These include:

• Access: request a copy of the data we hold about you.
• Rectification: ask us to correct inaccurate data.
• Erasure: request deletion of your personal data. Account deletion is permanent and irreversible; it initiates a 7-day grace period after which your profile, links, and content are purged. Financial transaction records (unlock history, payout records) are retained for legal and accounting purposes with personal identifiers removed.
• Portability: receive your data in a machine-readable format.
• Objection / restriction: object to or restrict processing in certain circumstances.

To exercise any right, email privacy-linklck@nexuf.io. We will respond within 30 days.

8. Security

We use industry-standard measures to protect your data: TLS in transit, encryption at rest on our database host, least-privilege access controls, and no logging of sensitive fields (content, tokens, raw IPs). No system is completely secure; if you discover a vulnerability please email security-linklck@nexuf.io.

9. Children

linklck is not directed at children under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with data, contact privacy-linklck@nexuf.io and we will delete it.

10. Changes to this policy

We may update this policy from time to time. When we do, we will update the "Last updated" date at the top and, for material changes, notify active sellers by email at least 14 days before the change takes effect. Continued use of linklck after that date constitutes acceptance.

11. Contact

For privacy-related questions or requests:
Email: privacy-linklck@nexuf.io