Who We Are
Openlynk (“we”, “our”, “us”) is a dynamic link management platform that lets developers and teams create, manage, and track deep links across iOS, Android, and web applications. Our services include the Openlynk web dashboard, public APIs, mobile SDKs, and link redirect infrastructure.
This Privacy Policy applies to all users of the Openlynk platform, including visitors to openlynk.io and authenticated account holders. For any privacy-related questions, contact us at [email protected].
Data We Collect
We collect data you provide directly, data generated as you use our platform, and data from third-party services used to operate the platform.
2.1 Account & Identity Data
- Email address (used to create and identify your account)
- Password (stored as a secure hash — we never store plaintext passwords)
- Google OAuth profile information (name, profile picture) if you sign in with Google
- Organization name and membership details
2.2 Billing & Subscription Data
- Subscription plan (Free, Starter, Pro, or Enterprise)
- Billing period start and end dates
- Stripe Customer ID and Subscription ID — we use Stripe to process payments; Openlynk does not store card numbers or bank details
- Payment history and invoice status
2.3 App & Link Configuration Data
- Mobile application configurations you create (bundle IDs, app store URLs, deep link schemes)
- Dynamic links you create, including custom slugs, destination URLs, and redirect rules
- Custom domains and branded subdomains you configure
- Shortened URLs generated through the platform
- App API keys used to authenticate SDK integrations
- Firebase project IDs stored per app for push notification delivery (Firebase secrets are never transmitted to the client)
2.4 Analytics & Usage Data
- Link click events, including timestamp and click count
- Device type, operating system, and browser used by end users who click your links
- Approximate geo-location data (country and city) derived from IP addresses of link visitors
- Campaign tracking parameters (UTM tags) associated with link visits
- Dashboard usage patterns (pages visited, features used) to improve the platform
2.5 Technical & Infrastructure Data
- IP addresses of authenticated users for security monitoring and rate limiting
- Authentication tokens and session identifiers
- Error logs, stack traces, and crash reports used to diagnose platform issues (tagged with request ID, organisation ID, and user ID)
- User-Agent strings and request IDs for distributed tracing and observability
- Theme preferences stored locally in your browser (localStorage key:
openlynk-theme)
2.6 Deferred Deep Linking Data
When a user clicks one of your links but does not have the target app installed, we may temporarily store a pending link record to restore the destination after app install:
- Pending link records including the original destination URL and click timestamp
- An anonymised device fingerprint used to match the pending link to the installed app
- Link restoration metadata (restoration method and timestamp)
- Email address, only if voluntarily provided as part of a deferred linking flow
How We Use Your Data
- Provide and operate the Openlynk platform and all its features
- Authenticate your identity and maintain session security
- Process subscription payments and manage billing via Stripe
- Deliver link redirect services globally with sub-50ms performance
- Present analytics dashboards showing click data, device breakdowns, and geographic distribution to you about your own links
- Send transactional emails (account confirmation, password reset, billing receipts)
- Monitor system health, detect abuse, and enforce our Acceptable Use Policy
- Improve platform features and fix bugs using aggregated, anonymized usage data
- Comply with legal obligations (tax, fraud prevention, lawful data requests)
Third-Party Services & Data Sharing
We do not sell your personal data. We share data only with the following trusted service providers necessary to operate Openlynk:
Account credentials, organization data, app/link configurations, analytics events, and deferred deep linking records are stored in a Supabase-hosted PostgreSQL database with row-level security. Supabase Auth handles password hashing and OAuth flows.
Billing information and subscription management is handled by Stripe. Openlynk passes your email to Stripe when you subscribe. Card details are processed exclusively by Stripe and are never sent to Openlynk servers.
If you choose to sign in with Google, your Google account email and basic profile are shared with us to create or link your Openlynk account.
Account confirmation, password reset, billing receipts, and team invitation emails are delivered via Resend. Your email address is passed to Resend solely for the purpose of sending these messages.
If you configure push notifications for your mobile app, your Firebase project ID is stored by Openlynk to route notification delivery. Firebase secrets are stored securely server-side and are never exposed to the client.
Custom domain verification is performed via Cloudflare. When you add a custom domain, a Cloudflare hostname ID is stored to track verification status. Cloudflare also provides DDoS protection and CDN services for our infrastructure.
We may disclose personal data when required by applicable law, court order, or to protect the rights and safety of Openlynk, our users, or the public.
Data Retention
We retain your account data for as long as your account is active. If you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal, fraud prevention, or tax compliance purposes.
Aggregated and anonymized analytics data (with no personally identifiable information) may be retained indefinitely for platform improvement and benchmarking.
Security
Openlynk is built with security as a core principle. Our security measures include:
- End-to-end encryption for data in transit (TLS 1.3)
- Passwords stored using industry-standard hashing (bcrypt via Supabase Auth)
- SOC 2 compliant infrastructure through our cloud providers
- GDPR-ready data handling practices
- Row-level security (RLS) in our database to ensure users can only access their own data
- Regular security audits and vulnerability assessments
No system is 100% secure. If you discover a security vulnerability, please disclose it responsibly by emailing [email protected].
Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you
- Correction — request correction of inaccurate or incomplete data
- Deletion — request deletion of your personal data (subject to legal retention obligations)
- Portability — receive your data in a structured, machine-readable format
- Restriction — request that we restrict processing of your data in certain circumstances
- Objection — object to processing of your data for certain purposes
- Withdraw consent — where processing is based on consent, withdraw it at any time
To exercise any of these rights, email us at [email protected]. We will respond within 30 days.
If you are in the European Economic Area (EEA), UK, or California (CCPA), you have additional rights under applicable data protection legislation. We are committed to honoring those rights.
Children's Privacy
Openlynk is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If we learn that we have collected data from a child, we will delete it promptly. If you believe a child has provided us with their data, please contact us at [email protected].
Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, notify you by email. Continued use of the platform after changes take effect constitutes acceptance of the updated policy.
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us: