Privacy Policy

Last updated: April 29, 2026

1. Introduction

Blinki ("we", "our", or "us") operates this platform to provide link-in-bio pages, URL shortening, QR code generation, and analytics services. This Privacy Policy explains how we collect, use, and protect your personal information when you use our service.

2. Information We Collect

Account information: When you register, we collect your name and email address. Your password is hashed using bcrypt and never stored in plain text.

Usage data: When visitors view your hub pages, click your short links, or scan your QR codes, we record anonymized event data including: timestamp, event type, referrer URL, user-agent string, and UTM parameters. We do not store IP addresses in analytics events.

Technical data: We collect server logs for security and reliability purposes. These logs are retained for 30 days and include IP addresses, request paths, and response codes.

3. How We Use Your Information

  • To operate and maintain your account and organization
  • To provide analytics about your content and audience
  • To send transactional emails (invitation notices, password resets)
  • To detect and prevent abuse, fraud, and security incidents
  • To improve our services based on aggregate usage patterns

We do not sell your personal data to third parties. We do not use your data for advertising.

4. Data Retention

Analytics event data is retained according to your plan: 30 days (Free), 90 days (Creator), 365 days (Pro), or indefinitely (Agency). You may request deletion of your account and all associated data at any time by contacting us.

5. Cookies

We use a single session cookie to maintain your authenticated session. We do not use tracking cookies, advertising cookies, or third-party analytics scripts.

6. Data Sharing

We share your data with the following third-party sub-processors only as necessary to operate the service:

  • SendGrid (Twilio Inc., USA) — for transactional email delivery
  • Microsoft Azure / SQL Server — for application and database hosting
  • Stripe, Inc. — for subscription payment processing; payment card details are submitted directly to Stripe and we do not store them

These sub-processors are contractually bound to handle your data only as directed by us. We may also disclose information when required by law, court order, or valid legal process, or to protect the rights, property, or safety of Blinki, our users, or others (including for fraud prevention or to respond to abuse, DMCA, or trademark complaints described in our Terms of Use).

7. Your Rights

Depending on your jurisdiction, you may have the right to: access a copy of your data, correct inaccurate data, request deletion of your data, or object to processing. To exercise any of these rights, contact us at the address below.

8. Security

We use HTTPS for all data in transit, bcrypt for password hashing, and HMAC-SHA256 for webhook signing. Access to production systems is limited to authorized personnel. We conduct regular security reviews.

9. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email to registered account holders. Continued use of the service after notice constitutes acceptance of the updated policy.

10. Visitor Data on Hub Pages and Short Links

Blinki provides users (account holders) with tools to publish hub pages, short links, and QR codes. When a member of the public visits one of those pages or follows one of those links ("Visitors"), the user — not Blinki — determines what content is displayed and where the Visitor is forwarded.

For any personal information a user collects from Visitors using the Service (for example, newsletter signups, form submissions, or contact details), the user acts as the data controller and Blinki acts as a data processor on the user's behalf. Users are responsible for: (a) providing Visitors with their own privacy notice; (b) obtaining any required consents (including for cookies, marketing, or international transfers under the GDPR or comparable laws); (c) responding to Visitor data-subject requests; and (d) complying with all applicable privacy and electronic-communications laws. Blinki disclaims responsibility for Visitor data handled by users in violation of these obligations.

11. Children's Privacy

The Service is not directed to children under 13 (or under 16 in the European Economic Area and the United Kingdom). We do not knowingly collect personal information from children under those ages. If we learn that we have collected such information, we will delete it promptly. Users of the Service are responsible for ensuring that any audience they direct to their hub pages or links complies with the Children's Online Privacy Protection Act (COPPA), the GDPR, and other applicable child-protection laws.

12. International Data Transfers

We and our sub-processors may store and process data in Canada, the United States, and other countries. Where data is transferred from the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate transfer mechanisms such as the Standard Contractual Clauses or equivalent safeguards. By using the Service, you acknowledge that your information may be transferred to and stored in countries with data-protection laws that differ from those in your jurisdiction.

13. Contact

For privacy-related inquiries, including data-subject access or deletion requests, please contact us at privacy@links.app.