Privacy Policy
Last updated: 2026-05-12
This document explains how GNLinks collects, uses, and protects your personal data. We are committed to GDPR compliance and data minimisation — we never store raw IP addresses, never sell your data, and give you full control over your privacy preferences.
1. Introduction
Welcome to GNLinks ("we", "our", or "us"). We are committed to protecting your personal data and your rights under applicable privacy laws, including the General Data Protection Regulation (GDPR). This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data. By using our platform, you agree to the collection and use of information in accordance with this policy.
2. Data We Collect
We collect the following categories of personal data: Account & Identity Data: Your name, email address, password (stored as a bcrypt hash — never in plaintext), phone number (optional), and profile information you provide. Usage & Analytics Data: When visitors click your shortened links, we record: a pseudonymised hash of the visitor's IP address (not the raw IP), parsed device/browser/OS information (not the raw user-agent string), geographic region (country/city derived from IP), referrer URL, and timestamp. This data cannot be used to individually identify a visitor. Cookie & Consent Data: We record your cookie consent choices (analytics consent, marketing consent) with a timestamp and version. Payment Data: When you subscribe to a paid plan, payment is processed by Razorpay. We store your subscription status and plan level, but do not store raw card numbers. Communications: Email addresses for transactional emails (verification, password reset, invitations).
3. How We Use Your Data
We use your data for the following purposes: Service Delivery: To operate the URL shortener, serve redirect analytics, manage organizations and teams, and provide customer support. Security: To prevent fraud, abuse, account takeovers, and bot traffic. This includes audit logs of sensitive actions (e.g., password changes, 2FA changes, GDPR requests). Analytics (with consent): Aggregated, anonymised click statistics shown in your dashboard — country, device type, referrer, UTM parameters. We do not sell this data. Marketing (with consent): Occasional product updates and feature announcements. You can withdraw consent at any time via Settings > Privacy. Legal Obligations: We retain certain records to comply with applicable law and to exercise or defend legal claims.
4. Legal Basis for Processing (GDPR)
We process your personal data on the following legal bases under Article 6 GDPR: Contract: Processing necessary to provide the service you signed up for (account management, link redirects, team management). Legitimate Interests: Security monitoring, fraud prevention, and service improvement — subject to your rights not overriding these interests. Consent: Analytics and marketing emails — only where you have given explicit, revocable consent. Legal Obligation: Retaining audit logs and complying with data protection authorities.
5. Data Retention
We retain your data for as long as your account is active or as needed to provide services. Specifically: Click analytics: 12 months rolling (auto-deleted via TTL index). Audit logs: 12 months rolling. Account data: Until you request erasure, subject to a 30-day grace period before permanent deletion. Backup exports: Deleted within 7 days of download availability. You may request earlier deletion via our GDPR tools (Settings > Privacy > Request Erasure).
6. Your Rights Under GDPR
If you are in the European Economic Area (EEA) or UK, you have the following rights: Right of Access: Request a copy of personal data we hold about you (Settings > Privacy > Export Data). Right to Rectification: Correct inaccurate data via your account profile. Right to Erasure ("Right to be Forgotten"): Request deletion of your account and associated data (Settings > Privacy > Delete Account). Right to Restriction: Ask us to stop actively processing your data while retaining it. Right to Data Portability: Receive your data in a machine-readable format. Right to Object: Object to processing based on legitimate interests, including profiling. Right to Withdraw Consent: Withdraw analytics or marketing consent at any time (Settings > Privacy). To exercise any of these rights, contact us at himanshu.mishra@thehigherpitch.com. We will respond within 30 days.
7. Cookies
We use the following cookies: Essential (always active): Authentication session cookies (httpOnly, Secure, SameSite=Strict), CSRF protection, security tokens. These cannot be disabled as they are required for the service to function. Analytics (consent required): Aggregate click tracking to power your dashboard. If you reject analytics cookies, your own dashboard statistics may be affected. Marketing (consent required): Personalisation and product update emails. You can change your preferences at any time via the cookie consent banner or Settings > Privacy.
8. Third-Party Services
We share data with these third parties only to the extent necessary: Razorpay: Payment processing. Governed by Razorpay's Privacy Policy. Google (OAuth): If you sign in with Google, governed by Google's Privacy Policy. Email delivery provider: For transactional emails only. Geolocation database: An offline database (geoip-lite) — no data is sent to a third party for geo lookups. We do not sell, rent, or trade your personal data.
9. Security
We implement industry-standard security measures including bcrypt password hashing, AES-256-GCM encryption of sensitive secrets at rest, HTTPS enforcement, rate limiting, account lockout, and optional two-factor authentication (TOTP). Despite these measures, no system is 100% secure. Please use a strong, unique password and enable 2FA.
10. Contact Us
If you have questions about this Privacy Policy or wish to exercise your GDPR rights, please contact: GNLinks Privacy Team Email: himanshu.mishra@thehigherpitch.com We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority.
Questions? himanshu.mishra@thehigherpitch.com | See also: Terms of Service