Data Processing Agreement

Our DPA implements GDPR Article 28 obligations between you (the controller) and LinkQuill (the processor). It applies automatically to every paid plan — you do not need to sign anything for it to take effect.

Need a counter-signed copy for your records?

Download the LinkQuill-signed PDF below, then email a counter-signed copy to legal@linkquill.net — we'll log it against your account.

Download PDF

1. Subject matter + duration

LinkQuill processes personal data on your behalf for the duration of your subscription. The processing is described in your account settings and in our Privacy Policy.

2. Nature + purpose of processing

We process affiliate, conversion, payout, and analytics data so that you can operate your affiliate program. We do not use your data to train machine-learning models, sell it to advertisers, or share it with other LinkQuill customers.

3. Categories of data subjects + personal data

Data subjects: your affiliates, customers who click affiliate links, and your dashboard users.

Personal data: identifiers (email, name), payment metadata (Stripe/PayPal IDs — never raw card or bank numbers), attribution data (IP, user agent, country, visitor UUID), and 1099-required tax data (W-9/W-8BEN forms) where applicable.

4. Sub-processors

Our current sub-processor list is published at /security. We will give you 30 days' notice via the changelog before adding a new sub-processor; you have the right to object during that window.

5. Security measures

We implement the technical and organizational measures listed at /security — including encryption at rest + in transit, role-based access controls, SSRF guards on every outbound webhook, OAuth state nonces, signed-identifier webhook brandId resolution, and continuous audit logging.

6. Data subject rights

You can fulfill data-subject access, deletion, and portability requests by:

Exporting affiliate / conversion / payout data via the API or dashboard CSV exports.
Triggering account deletion via Settings → Account → Delete Account (cascades through all related rows + tombstones identifiers per our retention policy).
Forwarding the request to privacy@linkquill.net if you need our help.

7. International transfers

Application data is hosted primarily in the United States. EU controllers may rely on the EU Commission's Standard Contractual Clauses (SCCs) included in the downloadable PDF; UK controllers may rely on the UK Addendum to the SCCs (also included).

8. Audit rights

You may audit our security posture once per calendar year, on 30 days' written notice, at your cost. We will respond in good faith with a written description of our security controls, sub-processor list, and any third-party assessments we currently hold. If you require an on-site audit beyond that, we will negotiate scope and timing in good faith.

9. Breach notification

We will notify you of any personal-data breach affecting your data without undue delay, and within 72 hours where feasible — the same timeline GDPR requires you to notify your supervisory authority.

10. Return + deletion of data

On account termination, we will return your data via API export and then delete all personal data we hold on your behalf within 90 days, subject to legal retention obligations (e.g., tax records).