1. What this addendum is
This Data Processing Addendum ("DPA") forms part of our Terms of Use. It sets out the data-protection obligations we owe each other when Alllinks processes personal data on your behalf — typically when your Alllinks page collects emails, bookings, orders, or form responses from your audience.
Two distinct relationships
- For your own data (your account, your subscription) Alllinks acts as controller — see our Privacy Policy.
- For the data your visitors give to you (subscriber emails, booking forms, orders) Alllinks acts as processor — that's what this DPA covers.
- For payment data, our Merchant of Record Paddle is the data controller.
2. Who needs to sign this
Account holders subject to GDPR, UK GDPR, the CCPA, or similar laws should accept this DPA. Acceptance happens automatically when you click into the dashboard and confirm the cookie / data prompts. If your DPO or legal team needs a counter-signed copy, email privacy@alllinks.cc and we'll send a PDF version.
3. Scope of processing
- Subject matter: the operation of the Alllinks platform.
- Duration: for as long as your account is active, plus the retention periods set out in our Privacy Policy.
- Nature & purpose: hosting, displaying, and securing the content you put on your Alllinks page; capturing and storing the responses your audience gives to that page.
- Categories of data subjects: visitors to your Alllinks page; subscribers; buyers from your shop; people who fill in your forms.
- Categories of personal data: name, email, phone (where collected), IP address, click data, form responses, order details (when applicable).
4. Our obligations as processor
- Process only on documented instructions — the instructions are these terms, the dashboard you control, and the API actions you take.
- Confidentiality — staff with access to personal data are bound by confidentiality.
- Security — TLS in transit, encryption at rest for sensitive fields, hashed passwords, least-privilege access, dependency scanning.
- Sub-processors — we use vetted third parties (Paddle, hosting/CDN, email delivery, analytics). The current list is at Subprocessors (updated as it changes). We give 30 days' notice of any addition or change.
- Data-subject requests — we route requests we receive from your audience to you, and we help you respond on time.
- Breach notification — we notify you of a personal-data breach without undue delay, generally within 72 hours.
- Audit rights — we share third-party security audits on request and accept reasonable on-paper audits no more than once per year.
- Return / deletion at end — when our contract ends, we delete or return personal data as you instruct, subject to the retention obligations in our Privacy Policy.
5. International transfers
Where we transfer personal data outside the UK/EEA we rely on the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) and the UK International Data Transfer Addendum. Paddle's transfers run under the same framework.
6. Liability & precedence
Our liability under this DPA is governed by the limitation-of-liability section in our Terms of Use. If anything in this DPA conflicts with the main Terms, this DPA governs in respect of data-protection matters; the main Terms govern everything else.
7. Changes
If GDPR / UK GDPR / CCPA guidance evolves we may update this DPA. For material changes we'll email account holders and post the new version with a fresh effective date.
8. Contact
Data Protection Officer: privacy@alllinks.cc. Paddle's privacy team is reachable from your Paddle customer portal.