When you use Alllinks, you're trusting us with your information. We take that seriously — and here's exactly how we collect, use and protect it.

1. Who this applies to

This policy covers everyone who interacts with Alllinks:

• Creators & businesses who sign up for an Alllinks account, build a profile, run a shop, host events, or invite teammates.
• Visitors who land on a creator's alllinks.cc/u/name page, click a link, watch an embed, buy a product, or submit a form.
• Buyers who complete a purchase through our checkout (handled by Paddle, our Merchant of Record).

Alllinks is the data controller for everything inside the dashboard. For paid subscriptions, Paddle is the data controller for billing data — checkout details, card number, billing address, VAT/tax IDs — and a joint controller with us for the subscription record that links a Paddle customer to an Alllinks account.

2. What we collect from account holders

When you create an Alllinks account

• Email, hashed password, and (optionally) name or username.
• Account type — Creator or Business — and the country you operate in.
• If you sign in with Google, Apple, or Facebook: your provider ID, name, and email. We never receive your password from the provider.

When you build your page

• Profile content: bio, profile picture, banner, links, text blocks, link collections, FAQs, photo galleries, video gallery, music embeds, articles, PDFs, events.
• Shop content: products, collections, prices, currency, digital downloads, bookings, service catalog.
• Design choices: theme, font, button shape, wallpaper, custom colors, custom domain (if connected).
• Business-only: employee profiles, services, business hours, location/address, team-member invitations.

When you contact us

• Messages from the in-app chat widget, the Contact page form, email to support@alllinks.cc, and any attachments you choose to send.

3. What we collect from visitors to your page

• Aggregate analytics: page views, link clicks, source (Instagram, TikTok, search, direct), device type, country derived from IP, referrer.
• Subscriber capture: if a visitor submits an email opt-in form, contact form, RSVP, or booking, that data is stored against your account and shared only with you.
• Cookies: a single first-party session cookie on the public page (used to dedupe visit counts), and any cookies set by embeds you choose to add (YouTube, Spotify, etc. — those follow their own privacy policies).

We don't run third-party advertising trackers on creator pages.

4. Payments & Paddle

If your buyers pay you through your Alllinks shop, those payouts run on your own Stripe or PayPal account — Alllinks does not sit in the middle of those transactions and does not store your buyers' payment data.

5. How we use information

• Operate the Service — render your public page, sync your dashboard, deliver subscriber capture, run your analytics, fulfil bookings.
• Process payments — pass billing-related data to Paddle, reconcile subscription state, send receipts.
• Improve the product — aggregate, anonymised feature-usage stats. We don't profile individuals.
• Secure the platform — detect spam, phishing pages, fraudulent shops, abusive embeds, and brute-force login attempts.
• Communicate — transactional emails (sign-up confirmation, password reset, billing receipts via Paddle, security alerts) and, only with your consent, product newsletters.

6. Third parties we use

• Paddle — billing & Merchant of Record (described above).
• Hosting & CDN — AWS / Cloudflare regions, used to serve your page worldwide.
• Email delivery — for transactional and subscriber broadcast emails (you control the latter from your dashboard).
• Analytics — a privacy-friendly analytics provider for aggregated dashboard usage; no third-party cookies on public profile pages.
• Embeds & players — YouTube, Spotify, SoundCloud, Vimeo, Twitch when you choose to embed them. Each runs under its own privacy policy.

We don't sell or rent personal data, and we don't share data with advertisers.

7. Your rights

Under GDPR, the UK Data Protection Act, CCPA and similar laws, you have the right to:

• Access a copy of the data Alllinks holds about you.
• Correct anything that's inaccurate.
• Delete your account and profile data (see Data Deletion).
• Restrict or object to processing, and export your data in JSON/CSV.
• Withdraw consent for any communication you opted into.

For billing data, exercise those rights with Paddle (a link to their customer portal is in every receipt). For everything else, email support@alllinks.cc. We respond within 30 days.

8. Data retention

Profile and content are kept while your account is active. After you delete the account, active systems are wiped within 30 days and encrypted backups within 90 days. Aggregate, fully anonymised analytics may be retained longer. For tax/audit reasons, Paddle and we retain a minimal billing record (transaction ID, country, amount, VAT) for up to 7 years — none of which can be tied back to you as a person.

9. International transfers

Alllinks is a global service. Your data may be processed in countries other than the one you live in (typically the EU, UK, or US, depending on the region serving your page). Where we transfer data outside the UK/EEA, we rely on Standard Contractual Clauses or the UK International Data Transfer Addendum. Paddle's transfers run under the same framework.

10. Security

TLS in transit, encryption at rest for sensitive fields, hashed passwords with modern algorithms, least-privilege access for the team, regular dependency scanning, and continuous monitoring. If a breach materially affects you we will notify you and the relevant data-protection authorities within 72 hours.

11. Children

Alllinks is not directed at children under 13 (or the minimum age in your country). We don't knowingly collect data from anyone under that age. If you believe a minor has signed up, contact us and we will remove the account.

12. Alllinks Assistant (ChatGPT)

Alllinks offers an optional “Alllinks Assistant” custom GPT that lets you manage your own account by chatting inside ChatGPT. It is opt-in and requires an active Alllinks subscription.

• Authorisation: the assistant connects through OAuth. It can only access your account and only the scopes you approve on the consent screen (your links, content and basic profile). It never sees your password and cannot touch any other user’s data.
• What we receive: only the specific API requests needed to carry out the action you asked for (for example “add this link”). We store a per-account access/refresh token, encrypted, solely to perform those actions on your behalf.
• OpenAI’s role: when you chat with the assistant inside ChatGPT, your messages are processed by OpenAI under OpenAI’s privacy policy. Alllinks does not control ChatGPT and only receives the resulting API calls.
• No selling, no training: we do not sell or share this data and we do not use it to train any model.
• Revoke anytime: remove access from Settings → Integrations → Alllinks Assistant (or from your ChatGPT account). Revoked tokens stop working immediately.

13. Changes

If we update this policy materially we post the new version here, update the effective date, and email account holders. Continued use after the effective date means you accept the update.

14. Contact

Privacy questions, GDPR / CCPA requests, or anything else covered here: email support@alllinks.cc. Billing-specific requests can also be sent directly to Paddle from your customer portal.