Privacy Policy
Last updated: May 2026
1. Data Controller
The data controller for Lenkli is GTA Go To Agency SAS, a French société par actions simplifiée (SIREN 944 980 762), registered at 9 rue Jean-Jacques Rousseau, 21000 Dijon, France.
Contact: [email protected]. See our Legal Notice for full company details.
2. Data We Collect
We collect the following data:
- Account data: email address, name (optional), hashed password
- Click analytics: country (from Cloudflare header), device type, browser, operating system, referrer, timestamp
- IP addresses:masked with a daily-rotating hash for non-EU visitors. For EU visitors, IPs are never stored (replaced with "eu-masked")
- Payment data: processed by Stripe. We do not store credit card information
3. How We Use Your Data
- Provide and improve the Service
- Display click analytics in your dashboard
- Send transactional emails (verification, billing, weekly stats)
- Detect and prevent abuse
4. Legal Basis for Processing (GDPR Article 6)
Each processing activity below is mapped to its lawful basis under Article 6(1) of the GDPR:
- Account data (email, name, hashed password): performance of a contract — Art. 6(1)(b). We need this to create and maintain your account.
- Click analytics (country, device, browser, OS, referrer, timestamp): legitimate interest — Art. 6(1)(f). The link owner has a legitimate interest in measuring the audience of their own links. Visitor IPs are masked before storage (see Section 2) and the data is aggregated.
- Payment data (handled by Stripe): performance of a contract — Art. 6(1)(b) for paid plans, and compliance with legal obligations — Art. 6(1)(c) for invoicing and accounting record retention.
- Transactional emails (verification, billing, security notices): performance of a contract — Art. 6(1)(b) and legal obligations — Art. 6(1)(c).
- Product update emails and weekly stats digests: consent — Art. 6(1)(a). You can opt out at any time from your account settings or via the unsubscribe link in each email.
- Optional anonymous site analytics (visitors of lenkli.com): consent — Art. 6(1)(a). Only loaded after you accept the cookie banner; refusing has no impact on the service.
- Abuse detection and security logs: legitimate interest — Art. 6(1)(f) in protecting the service and our users from fraud, spam, and malicious URLs.
5. Data Storage
Your data is stored on European servers (Hetzner, Germany). We use PostgreSQL for relational data and ClickHouse for analytics events.
6. Data Retention
- Account data: retained until you delete your account
- Click analytics: your dashboard shows the most recent 30 days (Free), 1 year (Pro) or 3 years (Business). The underlying event records are pseudonymized (no raw IP; for EU/EEA visitors the city and region are dropped at collection) and are permanently purged after 3 years at the latest.
- IP addresses: never stored in raw form — only a hash salted with a daily-rotating value (so the same address is not linkable across days), and EU/EEA visitor IPs are reduced to a non-identifying masked value
- Invoicing and accounting records: 10 years, as required by French commercial law
7. GDPR Rights (EU Residents)
Under the GDPR, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Request deletion of your data
- Export your data in a portable format
- Object to or restrict processing
- Withdraw consent at any time, where processing is based on consent
- Lodge a complaint with your local supervisory authority (in France, the CNIL — www.cnil.fr)
To exercise these rights, contact [email protected].
8. Cookies
We use essential cookies required to operate the service (authentication session, active workspace, CSRF protection). With your explicit consent collected via the cookie banner, we may also load an anonymous, privacy-friendly analytics cookie on the marketing site (lenkli.com) to understand how visitors discover the product. We do not use third-party advertising or cross-site tracking cookies, and no analytics cookie is loaded if you refuse or ignore the banner. See our Cookie Policy for the full list.
9. Third-Party Sub-Processors
- Stripe Payments Europe Ltd. (Ireland): payment processing (privacy policy)
- Cloudflare, Inc. (United States): CDN, DNS, and edge security (privacy policy)
- Google LLC (United States):Safe Browsing API for malicious-URL detection, and "Sign in with Google" if you choose it (privacy policy)
- Apple Inc. (United States):"Sign in with Apple" if you choose it (privacy policy)
- Muro (muro.chat): our support-chat widget. If you open it while signed in and have accepted cookies, your email and name are shared so we can assist you (website)
- OpenFreeMap / OpenMapTiles: map tiles for the analytics globe; your IP address is sent when the map loads (about)
- abuse.ch (Switzerland): PhishTank / URLhaus threat feeds used to block malicious destination links. We send the URL being checked, not personal data (about)
- Hetzner Online GmbH (Germany): hosting and infrastructure. This also runs our self-hosted analytics (Rybbit) and error monitoring (Bugsink), both within the EU (privacy policy)
10. International Data Transfers
Our primary infrastructure (PostgreSQL, ClickHouse, Redis, application servers) is hosted entirely within the European Economic Area at Hetzner in Germany. However, some of our sub-processors are established outside the EEA, which means certain processing may involve a transfer of personal data to the United States:
- Stripe (US/Ireland):transfers covered by the EU Standard Contractual Clauses (SCCs) of 4 June 2021 and by Stripe's certification under the EU-U.S. Data Privacy Framework (DPF).
- Cloudflare (US):transfers covered by the EU Standard Contractual Clauses (SCCs) and by Cloudflare's self-certification under the EU-U.S. Data Privacy Framework (DPF).
- Google (US):transfers covered by the EU Standard Contractual Clauses (SCCs) and by Google's certification under the EU-U.S. Data Privacy Framework (DPF).
Where the DPF is unavailable or insufficient for a given recipient, we rely on the SCCs together with supplementary technical and organisational measures (encryption in transit, IP masking before leaving our infrastructure, minimisation of payloads sent to sub-processors). A copy of the SCCs and a description of the safeguards in place can be obtained by writing to [email protected].
11. Changes
We may update this policy. Significant changes will be communicated via email.