Privacy Policy

1. Introduction and Scope

LinkQuill ("LinkQuill," "we," "us," or "our") operates an affiliate marketing platform that connects brands (advertisers) with affiliates (publishers) through a two-sided discovery marketplace and performance tracking system. This Privacy Policy explains how we collect, use, disclose, retain, and protect personal data when you access or use our website at linkquill.net, our platform dashboards, our public discovery marketplace, our tracking technologies, our APIs, and any related services (collectively, the "Service").

This policy applies to all users of the Service, including:

• Brands — businesses that create and manage affiliate programs, configure commission structures, and integrate their e-commerce stores with LinkQuill;
• Affiliates — publishers, content creators, and marketers who discover programs, promote products, and earn commissions through tracked referrals;
• End Users — visitors to brand websites whose interactions are tracked by the LinkQuill tracking snippet for the purpose of attributing referrals and conversions; and
• Website Visitors — individuals who visit linkquill.net or the public discovery marketplace without creating an account.

By creating an account or using the Service, you acknowledge that you have read and understood this Privacy Policy. Where we rely on consent as a legal basis for processing, we will obtain your explicit consent at the point of collection. If you do not agree with our practices, please do not use the Service.

This Privacy Policy should be read alongside our Terms of Service, which govern your use of the Service.

2. Data Controller

For the purposes of the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and other applicable data protection laws, the data controller responsible for your personal data is:

Where a Brand uses LinkQuill's tracking technologies on its own website to monitor end-user clicks and conversions, the Brand acts as the data controller for end-user data collected through its website, and LinkQuill acts as a data processor on the Brand's behalf. In such cases, the Brand is responsible for providing appropriate privacy disclosures to its end users and obtaining any required consents for cookie-based tracking. We provide tools and documentation to help Brands meet these obligations.

3. Categories of Personal Data We Collect

We collect and process the following categories of personal data, depending on how you interact with the Service:

3.1 Account Data

When you register for an account, we collect your full name, email address, and a securely hashed password (if you register via email/password). If you authenticate using Google OAuth through Firebase Authentication, we receive your name, email address, and profile photograph URL from Google. We also store your unique Firebase user identifier and the authentication method used.

3.2 Profile and Business Data

Brands may provide a company name, company website, industry category, business description, logo, brand slug (for public profile URLs), and social media links. Affiliates may provide a display name, bio, content niches, website URLs, social media handles, and promotional channels. This information is used to populate public marketplace profiles and facilitate discovery.

3.3 Financial and Transaction Data

To process subscription payments from Brands and commission payouts to Affiliates, we integrate with Stripe. We store your Stripe customer ID, Stripe Connect account ID (for Affiliates), subscription status, plan tier, and billing cycle information. We maintain records of all transactions including commission amounts, payout amounts, payout statuses, and invoice references. We do not store full credit card numbers, bank account numbers, or other sensitive payment credentials — these are held exclusively by Stripe in its PCI DSS Level 1 certified environment.

3.4 Tracking and Analytics Data

Our tracking snippet, which Brands install on their websites, collects data about end-user interactions for the purpose of attributing referrals and conversions. This includes:

• IP addresses (used for fraud detection and geolocation; automatically anonymized after 30 days);
• User agent strings (browser type, version, operating system);
• Device type and screen resolution;
• Referrer URL (the page that linked the visitor to the brand's website);
• A unique, pseudonymous visitor ID assigned by our tracking snippet;
• Timestamps of clicks and conversions;
• Page URLs where clicks and conversions occur; and
• Conversion metadata such as order IDs, order amounts, and currency codes (provided by the brand's integration).

We use this data for conversion attribution, commission calculation, fraud detection and prevention, and aggregated analytics reporting. Individual-level tracking data is not sold or used for behavioral advertising.

3.5 Cookie Data

We use cookies and similar technologies on both our own website and through the tracking snippet installed on brand websites. Detailed information about each cookie type, its purpose, and its duration is provided in Section 11 (Cookie Policy).

3.6 Communication Data

We process the content of transactional emails sent through our email provider (Brevo), including account verification emails, password reset requests, payout notifications, program invitation emails, and platform alerts. We may also process messages you send to our support team, feedback you submit, and any communications exchanged through the platform's invitation system.

3.7 E-Commerce Integration Data

When a Brand connects an e-commerce platform (such as Shopify, WooCommerce, Square, BigCommerce, Wix, or Squarespace), we receive order data necessary for conversion tracking and commission calculation. This may include order IDs, order totals, product categories, customer location (country/region only — not full address), and order timestamps. Integration credentials (OAuth tokens, API keys) are encrypted using AES-256-GCM before storage and are never logged or exposed in plaintext.

3.8 Technical and Usage Data

When you use the Service, we automatically collect technical information such as your IP address, browser type, operating system, referring URL, pages visited within the platform, session duration, and feature usage patterns. This data helps us maintain and improve the Service, detect issues, and understand how users interact with our platform.

4. Legal Bases for Processing (GDPR Article 6)

We process personal data only where we have a valid legal basis under applicable data protection law. The table below sets out the legal bases we rely on for each processing purpose:

Where we rely on legitimate interests, we have conducted a balancing assessment to ensure that our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting us at privacy@linkquill.net.

5. How We Use Your Data

We use personal data for the following specific purposes:

5.1 Providing the Service

• Creating and authenticating your account via Firebase Authentication;
• Displaying your profile on the public discovery marketplace (if you opt in);
• Matching affiliates with relevant programs based on niches, categories, and performance;
• Processing program applications and invitation workflows;
• Tracking clicks and conversions through our JavaScript snippet and server-side APIs;
• Attributing referrals to the correct affiliate within the configured attribution window;
• Calculating commissions based on program rules (percentage, flat rate, or tiered); and
• Processing subscription billing for Brands and commission payouts for Affiliates via Stripe.

5.2 Fraud Detection and Platform Integrity

• Analyzing click patterns, IP addresses, and user agents to detect fraudulent or bot-generated traffic;
• Applying rate limiting (via Upstash Redis) to prevent API abuse and automated attacks;
• Flagging suspicious conversions for manual review by Brands; and
• Enforcing plan limits and usage thresholds to prevent abuse of the platform.

5.3 Communication

• Sending transactional emails such as account verification, password resets, payout confirmations, and program invitations via Brevo;
• Notifying you of material changes to the Service, our Terms, or this Privacy Policy; and
• Sending marketing communications only where you have provided explicit opt-in consent (you may unsubscribe at any time).

5.4 Analytics and Improvement

• Generating aggregated, non-identifying analytics to help Brands and Affiliates understand performance;
• Analyzing usage patterns to improve the platform's features, reliability, and user experience; and
• Conducting internal research on platform trends (always on aggregated, de-identified data).

5.5 Legal and Regulatory Compliance

• Retaining transaction records as required by tax and financial reporting obligations;
• Responding to lawful requests from law enforcement or regulatory authorities; and
• Enforcing our Terms of Service and protecting our legal rights.

6. Data Sharing and Third-Party Processors

We do not sell your personal data. We share personal data only with the third-party service providers necessary to operate the Service, and only to the extent required for each provider's specific function. Each processor is bound by a Data Processing Agreement ("DPA") or equivalent contractual protections.

We may also share personal data with professional advisors (lawyers, auditors, accountants) who are bound by professional obligations of confidentiality, or with law enforcement or regulatory bodies when we are legally required to do so.

In the event of a merger, acquisition, or sale of all or a portion of our assets, personal data may be transferred to the acquiring entity. We will notify you of any such transfer and any changes to this Privacy Policy that result from it.

7. International Data Transfers

LinkQuill is headquartered in the United States. If you are located in the European Economic Area ("EEA"), the United Kingdom, or Switzerland, your personal data will be transferred to the United States for processing. We recognize that the United States does not currently benefit from an unqualified adequacy decision under GDPR, and we implement the following safeguards for international transfers:

• Standard Contractual Clauses (SCCs): We enter into the European Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor) with each third-party processor that processes EEA personal data outside the EEA.
• EU-U.S. Data Privacy Framework: Where applicable, we rely on our processors' certifications under the EU-U.S. Data Privacy Framework (e.g., Google, Stripe) as an additional transfer mechanism.
• Supplementary Measures: We implement technical measures including encryption in transit (TLS 1.3) and at rest (AES-256), access controls, pseudonymization of tracking data, and IP anonymization to provide additional protection.
• UK International Data Transfer Agreement (IDTA): For transfers from the UK, we use the UK IDTA or the UK Addendum to the EU SCCs, as appropriate.

You may request a copy of the relevant transfer safeguards by contacting privacy@linkquill.net.

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this policy, or as required by law. The table below sets out our specific retention periods:

When data reaches the end of its retention period, it is permanently deleted or irreversibly anonymized. Where deletion of specific data would be technically impractical (e.g., backup archives), we apply appropriate access controls and isolation until deletion is feasible.

9. Your Rights Under the GDPR

If you are located in the EEA, the United Kingdom, or Switzerland, you have the following rights under the GDPR (and equivalent UK GDPR provisions). You may exercise any of these rights by contacting us at privacy@linkquill.net. We will respond to your request within 30 days, as required by law.

9.1 Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data, and if so, to receive a copy of that data along with information about the purposes, categories of data, recipients, retention periods, and the source of the data. We will provide data in a commonly used, machine-readable format (such as JSON or CSV) upon request.

9.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data and completion of incomplete data. You can update most account and profile data directly through your dashboard settings. For other corrections, contact our privacy team.

9.3 Right to Erasure (Article 17)

You have the right to request deletion of your personal data where the data is no longer necessary for its original purpose, you withdraw consent, or you object to processing and no overriding legitimate grounds exist. Please note that we may be required to retain certain financial and transaction records for up to 7 years to comply with tax and regulatory obligations. In such cases, data will be restricted rather than deleted until the retention period expires.

9.4 Right to Restriction (Article 18)

You have the right to restrict processing of your personal data where you contest the accuracy of the data, the processing is unlawful but you prefer restriction over erasure, we no longer need the data but you require it for legal claims, or you have objected to processing pending verification of our legitimate grounds.

9.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit that data to another controller without hindrance. This applies to data you have provided to us and that we process on the basis of consent or contract performance. We can provide data exports in JSON or CSV format.

9.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests, including profiling. If you object, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims. You may object to direct marketing at any time, and we will immediately cease such processing.

9.7 Rights Related to Automated Decision-Making (Article 22)

Our fraud detection system analyzes click and conversion patterns using automated rules to flag potentially fraudulent activity. These automated analyses may result in a conversion being flagged for manual review, but no decision that produces legal effects or similarly significant effects on individuals is made solely by automated means without human oversight. Brands ultimately approve or reject flagged conversions. You have the right to request human intervention, express your point of view, and contest any automated decision that affects you.

9.8 Right to Withdraw Consent

Where we process data based on your consent (e.g., marketing emails, non-essential cookies), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing performed before the withdrawal. You can withdraw consent by updating your preferences in your account settings, clicking "unsubscribe" in any marketing email, or contacting us at privacy@linkquill.net.

10. Your Rights Under the CCPA (California Residents)

If you are a resident of California, the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"), provides you with specific rights regarding your personal information. This section describes those rights and how to exercise them.

10.1 Right to Know

You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which the information was collected, the business or commercial purpose for collection, and the categories of third parties with whom we share your information. You may make a verifiable consumer request up to twice within a 12-month period.

10.2 Right to Delete

You have the right to request the deletion of personal information we have collected from you, subject to exceptions provided by the CCPA (such as data necessary to complete a transaction, detect fraud, comply with legal obligations, or exercise free speech rights).

10.3 Right to Correct

You have the right to request that we correct inaccurate personal information that we maintain about you, taking into account the nature of the information and the purposes of processing.

10.4 Right to Opt-Out of Sale or Sharing

LinkQuill does not sell personal information as defined by the CCPA/CPRA. We do not sell, rent, or trade personal information to third parties for monetary or other valuable consideration. We also do not "share" personal information for cross-context behavioral advertising purposes. Because we do not engage in these practices, there is no need to opt out. Should our practices change, we will update this policy and provide a "Do Not Sell or Share My Personal Information" link on our website.

10.5 Right to Limit Use of Sensitive Personal Information

We do not collect or process "sensitive personal information" as defined under the CPRA beyond what is necessary to provide the Service (e.g., account login credentials). We do not use sensitive personal information for purposes beyond those permitted under the CPRA.

10.6 Non-Discrimination

We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you goods or services, charge you different prices, provide a different level of quality, or suggest that you will receive different treatment for exercising your rights.

10.7 How to Exercise Your Rights

To submit a verifiable consumer request, contact us at privacy@linkquill.net. We will verify your identity by matching the information you provide with the information we have on file. We will respond within 45 days, with the possibility of a 45-day extension if necessary (we will notify you of any extension). You may also designate an authorized agent to make a request on your behalf by providing a signed written authorization.

11. Cookie Policy

We use cookies and similar technologies to operate the Service, track affiliate referrals, and improve your experience. This section describes the types of cookies we use, their purposes, and how you can manage them.

11.1 What Are Cookies

Cookies are small text files placed on your device by a website or service. They are widely used to make websites work efficiently, remember preferences, and provide information to site operators. We also use local storage and similar browser-based technologies for certain functions.

11.2 Cookies We Use

11.3 Third-Party Cookies

When you authenticate with Google OAuth, Google may set cookies on your device subject to Google's own privacy policy. Stripe may set cookies when you interact with payment forms to facilitate fraud prevention and payment processing, subject to Stripe's Privacy Policy. We do not control the cookies set by these third parties.

11.4 Managing Cookies

You can control and manage cookies through your browser settings. Most browsers allow you to refuse or delete cookies. Please note that disabling strictly necessary cookies may prevent you from using core features of the Service (such as logging in). Disabling tracking cookies on a brand's website may prevent affiliate attribution from functioning correctly.

Where required by applicable law (e.g., for visitors from the EEA), we display a cookie consent banner that allows you to accept or decline non-essential cookies before they are placed on your device.

12. Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. API endpoints enforce HTTPS exclusively.
• Encryption at rest: Database contents are encrypted at rest using the hosting provider's built-in encryption. E-commerce integration credentials are additionally encrypted using AES-256-GCM before storage.
• Password security: User passwords are salted and hashed using industry-standard algorithms (via Firebase Authentication). We never store passwords in plaintext.
• Access controls: Access to personal data is restricted to authorized personnel on a need-to-know basis. Administrative access requires multi-factor authentication.
• Rate limiting: API endpoints are protected by rate limiting (via Upstash Redis) to prevent brute-force attacks and abuse.
• Fraud detection: Automated monitoring of click and conversion patterns to detect and prevent fraudulent activity, bot traffic, and abuse.
• IP anonymization: IP addresses collected through the tracking snippet are automatically anonymized after 30 days through an automated process, reducing the risk of re-identification.
• Webhook security: Incoming webhooks from third-party services (Stripe, Shopify, etc.) are verified using cryptographic signature validation and idempotency checks.
• Infrastructure security: Our application is hosted on Vercel, which provides DDoS protection, automatic SSL, and isolated serverless compute. Our database is hosted on Neon, which provides SOC 2 Type II certified infrastructure with automated backups.

While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we continuously review and update our security practices in line with industry standards.

13. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children under 18 years of age. Affiliate marketing involves commercial relationships, financial transactions, and binding contractual agreements that require users to be of legal age to enter into contracts in their jurisdiction.

If we become aware that we have collected personal data from a child under 18, we will take immediate steps to delete that data and terminate the associated account. If you believe that we may have collected data from a child under 18, please contact us immediately at privacy@linkquill.net.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will:

• Update the "Last Updated" date at the top of this page;
• For material changes, notify you via email (to the address associated with your account) at least 30 days before the changes take effect;
• For material changes, display a prominent notice within the platform dashboard; and
• Where required by law, obtain your renewed consent before applying changes that affect how we process your data.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised policy, except where consent is separately required.

15. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, you may contact us using the following methods:

For GDPR-related inquiries, our Data Protection Officer can be reached at dpo@linkquill.net. We aim to respond to all privacy-related inquiries within 30 days.

For CCPA verifiable consumer requests, please email privacy@linkquill.net with the subject line "CCPA Request" and include sufficient information for us to verify your identity (such as the email address associated with your account).

16. Complaints to a Supervisory Authority

If you are located in the EEA or the United Kingdom and believe that our processing of your personal data infringes applicable data protection law, you have the right to lodge a complaint with your local data protection supervisory authority. We encourage you to contact us first so that we can try to resolve your concern directly, but you are under no obligation to do so before approaching a supervisory authority.

A list of EEA supervisory authorities and their contact details is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

For the United Kingdom, the relevant supervisory authority is the Information Commissioner's Office (ICO): https://ico.org.uk