Data Processing Agreement
Last updated on Feb 03, 2026.
This Data Processing Addendum ("DPA") forms part of the main agreement ("Agreement") between Linklet.io LLC ("Linklet.io", "we", "us", or "our") and the customer ("Customer") for the provision of services by Linklet.io (the "Service") as defined in the Agreement.
If you are accepting this DPA on behalf of your customer, you warrant that: (a) you have full legal authority to bind your customer to this DPA; (b) you have read and you understand this DPA; and (c) you agree, on behalf of your customer, to this DPA.
Any terms not explicitly defined in this DPA carry the same meanings as those in our Terms and Conditions.
In the course of providing the Service to the Customer pursuant to the Agreement, Linklet.io may process visitor data on behalf of the Customer. We protect and secure your visitor data to the high standards set out in the Agreement.
Definitions
- Data Protection Laws means as applicable (i) the GDPR; (ii) the UK GDPR; (iii) the CCPA; and (iv) any relevant law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument which implements any of the above or which otherwise relates to data protection, privacy or the use of personal information, in each case as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time;
- Personal Data means information that identifies, relates to, describes, is capable of being associated with, or can reasonably be linked, directly or indirectly, with a particular individual or household or is otherwise defined as “personal information” or “personal data” by applicable Data Protection Laws.
- Data Subject means an identifiable individual who is the subject of Personal Data.
- Subprocessor means any third party appointed by Linklet.io to Process Customer Personal Information on behalf of the Customer in connection with the Agreement.
- Controller means a person or entity that determines the purposes and means of the Processing of Personal Data.
- Processor means a person or entity that Processes Personal Data on behalf of the Controller.
Controller and Processor
Data Protection Laws and privacy laws in certain jurisdictions differentiate between "Controllers" and "Processors" of personal information. A Controller decides why and how to process personal information. A Processor processes personal information on behalf of a Controller based on the Controller’s instructions. When you create a Linklet.io link or QR code as our user, we are acting as a Controller. When you visit a Linklet.io link or QR code created by a user, we are acting as a Processor.
Privacy and Security of your Visitor Data
We take many measures to protect and secure your data through backups, redundancies, and encryption. When you use our Service to measure your Linklet.io link or QR code stats as our Customer, we will collect information about your visitors.
You entrust us with your visitors' data. You agree that we may Process your data as described in our DPA and for no other purpose. We don’t sell or share your visitors' data to any third parties, and we don’t abuse your visitors' privacy.
Even though the purpose of Linklet.io is to track the usage of a Linklet.io link or QR code visit, this can still be done without tracking, collecting or storing any Personal Data or personally identifiable information (PII), without using cookies and while respecting the privacy of your visitors.
By using Linklet.io, all the site measurement is carried out absolutely anonymously. We minimize data collection in general. We measure only the most essential data points and nothing else. All the metrics we do collect fit in one single page.
We do not attempt to generate a device-persistent identifier because they are considered personal data under Data Protection Laws. We do not use cookies, browser cache, or the local storage. We do not store, retrieve, or extract anything from visitors' devices. The data we process cannot be used to identify any single individual.
Every single HTTP request sends the IP address and the User-Agent to the server so that’s what we use. We generate a daily changing identifier using the visitor’s IP address and User-Agent. To anonymize these datapoints and make them impossible to relate back to the user, we run them through a hash function with a rotating salt.
hash(hourly_salt + ip_address + user_agent)This generates a random string of letters and numbers that is used to calculate unique visitor numbers for the day. The raw data IP address and User-Agent are never stored in our logs, databases, or anywhere on disk.
Old salts are deleted every day to avoid the possibility of linking visitor information from one day to the next. Forgetting used salts also removes the possibility of the original IP addresses being revealed in a brute-force attack. The raw IP address and User-Agent are rendered completely inaccessible to anyone, including ourselves.
The group of Data Subjects affected by the processing of their data under this Agreement includes end-users of the Controller’s websites which make use of the Service provided by the Processor. Here is the complete list of what we collect and store about your visitors:
| Data Point | Example | Comment |
|---|---|---|
| URL | https://www.example.com/slug | We track the Linklet.io link or QR code URL. The hostname and path are collected. Query parameters are discarded, except for these special query parameters: ref=, source=, utm_source=, utm_medium=, utm_campaign=, utm_content= and utm_term=. |
| Referrer | https://www.facebook.com | We use the referrer string to show you the number of visitors referred to your Linklet.io link from links on other sites. |
| Browser | Chrome | We use this to show you what browsers and browser version numbers people use when visiting your Linklet.io link or QR code URL. This is derived from the User-Agent HTTP header. The full User-Agent is discarded. |
| Operating System | Mac OS | We use this to show you what operating systems people use when visiting your Linklet.io link or QR code URL. We show the brand of the operating system and the version number. This is derived from the User-Agent HTTP header. The full User-Agent is discarded. |
| Device type | Desktop | We use this to show you what devices people use when visiting your Linklet.io link or QR code URL. Devices are categorized into desktop, mobile or tablet. This is derived from the User-Agent HTTP header. The full User-Agent is discarded. |
| Continent, Country, City | Europe, France, Paris | We look up the visitor’s location using their IP address. We do not track anything more granular than the city level and the IP address of the visitor is discarded. We never store IP addresses in our database or logs. |
Organizational and Technical Security Measures
For encryption, we use HTTPS in transit and the hashing process at rest. Our hashing process is much stronger than encryption. Encryption implies that there’s a key that can decrypt and reveal the raw data. In our database the raw IP address and User Agent are rendered completely inaccessible to anyone, including ourselves.
Controller's Obligations with respect to the Processor
The Customer is responsible for ensuring that the processing of Personal Data complies with all applicable Data Protection Laws and regulations.
The Customer must provide clear instructions to Linklet.io for the processing of Personal Data as required by applicable law.
Processor’s Obligations with respect to the Controller
- Linklet.io will Process visitor data only in accordance with instructions from Customer through the settings of the Service, i.e. (a) to operate, maintain and support the infrastructure used to provide the Service; (b) to comply with Customer’s instructions and processing instructions in their use, management and administration of the Service; (c) as otherwise instructed through settings of the Service. Linklet.io will only Process visitor data in accordance with the Agreement.
- Linklet.io shall notify Customer without undue delay if, in Linklet.io’s opinion, an instruction for the Processing of visitor data given by Customer infringes applicable Data Protection Laws.
- Linklet.io shall guarantee the confidentiality of visitor data Processed hereunder.
- We, as humans, can access your data to help you with support requests you make and to maintain and safeguard Linklet.io to ensure the security of your data and the Service as a whole. Linklet.io shall ensure that all Linklet.io personnel required to access the visitor data are trained in Data Protection Laws and privacy laws, informed of the confidential nature of the data and comply with the obligations set out in this Agreement.
- Linklet.io shall implement and maintain appropriate technical and organizational security measures designed to protect the visitor data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to avert the risks which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of the visitor data and having regard to the nature of the visitor data which is to be protected.
- We do work with Subprocessors. With each vendor, we assess their DPA and commitment to privacy. Any such subcontractors will be permitted to process data only to deliver the services Linklet.io has retained them to provide, and they shall be prohibited from using data for any other purpose. The Controller is able to legitimately object and may terminate the Agreement.
- If Linklet.io becomes aware of any accidental, unauthorized or unlawful security breach, destruction, loss, alteration, or disclosure of the Personal Data that is Processed by Linklet.io in the course of providing the Service, it shall without undue delay (not later than 48 hours after having become aware of it), notify Customer by email and provide Customer with a description of the incident as well as periodic updates to information about the incident, including its impact on Customer content. Linklet.io shall additionally take action to investigate the incident and reasonably prevent or mitigate the effects of the incident.
- Linklet.io shall not on its own authority rectify, erase or restrict the processing of visitor data that is being processed on behalf of the Controller (unless this is required by law or the Processor Terms of Service), but shall only do so on documented instructions from the Controller and in accordance to our data retention rules.
- Linklet.io shall assist the Controller in complying with the obligations concerning the security of Personal Data. Linklet.io will also provide assistance to the Controller for Data Protection Impact Assessments (DPIAs), where a data subject asserts their rights as a Data Subject, this request will be forwarded to the Controller without delay.
- Linklet.io will ensure that Personal Data is not transferred outside the European Economic Area (EEA) or other jurisdictions with similar restrictions unless adequate protections are in place, such as standard contractual clauses or an approved certification mechanism.
Termination and Deletion of Data
Upon termination of the Agreement, Linklet.io will, at the Customer's choice, return or delete all Personal Data Processed on behalf of the Customer, unless required by applicable law to retain the data.
Governing Law
This DPA shall be governed by and construed in accordance with the laws governing the Agreement.
How Can You Contact Us?
If you have questions or concerns regarding this DPA, you may contact us at support@linklet.io.