Effective Date: January 17, 2026
Last Updated: April 14, 2026
Introduction
LinkTaps ("we," "our," or "us") is a minimal link redirect service that operates on a privacy-first principle. We are committed to collecting only the minimum amount of data necessary to provide our service and comply with legal requirements.
This Privacy Policy explains what information we collect, how we use it, and your rights under the General Data Protection Regulation (GDPR) and other applicable privacy laws.
Our Commitment to Minimal Data Collection
LinkTaps is designed from the ground up to minimize data collection. We:
- Do NOT store email body content
- Do NOT use non-essential cookies or tracking cookies
- Do NOT store uploaded CSV files
- Do NOT fingerprint users
- Do NOT sell or share your data with third parties for marketing purposes
Our Commitment to Minimal Permissions
Unlike most services that request broad access to your social media accounts upfront, LinkTaps only requests the specific permissions absolutely required for the features you choose to use. We believe you should have full control over what access you grant.
- Granular permission requests: When you first connect, we request only the permissions required for the feature you chose to set up. If you set up DM or comment automations, we request comment monitoring and messaging permissions. If you set up Upload and Publish, we request only publishing permissions. Additional permissions like insights or content management are only requested when you explicitly enable those features.
- Incremental scope upgrades: You can expand permissions one at a time as you need them. Each upgrade clearly explains what new access is being requested and why.
- Multiple connection methods: You choose how to connect -- via Facebook Login for Business (recommended, with never-expiring system tokens), traditional Facebook OAuth, or Instagram Business Login. Each method offers different permission configurations suited to your needs.
- Full transparency: Your current permissions are visible in Settings at all times, and you can disconnect or revoke access at any point.
Data Controller
LinkTaps acts as the data controller for the personal data we collect through our service.
Contact Information:
Email: support@linktaps.io
1. Information We Collect
1.1 Information You Provide Directly
Account Information:
- Email address (required for passwordless authentication)
- Creator username/slug (optional, for custom branded short links on shared domain)
- Custom domain names (optional, if you choose to use your own domain)
Link/Campaign Data:
- Short link slugs (the custom path in your short URLs)
- Destination URLs (where your short links redirect to)
- iOS and Android deep link URLs (optional, for mobile app redirects)
Link-in-Bio Data:
- The links, text, images, headings, and customization (colors, layout) for your Link-in-Bio landing page hosted on LinkTaps
- Optional header image you upload for the Link-in-Bio page
- Display name and bio text you choose to show on the page
Feedback and Support:
- Messages you send through our feedback form
- Associated campaign or URL context (if provided)
CSV Import Data:
- Campaign data you upload via CSV (slugs, URLs, deep links)
- Note: CSV files are processed in-memory and are NOT stored on our servers
1.2 Information Collected Automatically
Click Analytics (for your links): When someone clicks on your short link, we collect:
- Device type (mobile, desktop, tablet)
- Operating system (iOS, Android, Windows, macOS, Linux)
- Browser type
- Whether the click came from an in-app browser (and which app browser: Facebook, Instagram, TikTok, etc.)
- User agent string
- HTTP referrer (the website they came from)
- Country (derived from IP address via geolocation)
- Timestamp of the click
- Click identifier (clickid) - A temporary, unique identifier used to track user journeys from in-app browsers to external browsers. This identifier is used solely to provide accurate analytics about verified transitions from in-app browsers to external browsers and is not used to track users across sessions or for any other purpose.
IP Addresses:
- We collect IP addresses for geolocation (to determine country) and security purposes
- IP addresses are NOT stored long-term for analytics purposes
- We do NOT track individual users across sessions using IP addresses
Bot Filtering:
- We automatically exclude known bot and crawler traffic (such as Facebook's link preview crawler and GPTBot) from analytics to ensure accurate click counts
- These automated requests are not logged or tracked
Web Analytics (Cloudflare Web Analytics):
- We use Cloudflare Web Analytics to understand how our website (not your links) is used
- Cloudflare Web Analytics does NOT use cookies
- It collects: page views, referrer information, browser type, and country
- Data is aggregated and anonymized
- See Cloudflare's privacy policy: https://www.cloudflare.com/privacypolicy/
1.3 Cookies
We use only ONE cookie, which is strictly necessary for our service to function:
Session Cookie (connect.sid):
- Purpose: Maintains your authenticated session after passwordless login
- Type: Essential/Strictly Necessary (does NOT require consent under GDPR)
- Duration: 7 days
- Attributes: HttpOnly, Secure (HTTPS only in production), SameSite=Lax
- Domain: linktaps.io
We do NOT use:
- Marketing cookies
- Advertising cookies
- Social media tracking cookies
- Third-party tracking cookies
Because we only use essential cookies, you will not see a cookie consent banner on our site.
1.4 Information We Do NOT Collect or Store
- Email body content - We use a metadata-only email logging system for SOC 2 and GDPR compliance. We store only: recipient email, subject line, email type, timestamp, and delivery status. We do NOT store login codes, magic link URLs, or message content.
- Uploaded files - CSV files are processed in-memory and immediately discarded after processing
- Passwords - We use passwordless authentication (magic links and login codes)
- Payment card details - Card numbers, CVV, and expiration dates are entered directly into Stripe's hosted checkout/portal — they never reach our servers. We only store the Stripe customer/subscription ID and billing-period dates needed to verify Pro access.
- Precise geolocation - We only derive country-level location from IP addresses
1.5 Social Media Automation and Meta Platform Data
LinkTaps includes optional automation features that integrate with Facebook and Instagram through the Meta Platform APIs. This section describes what data we collect, how we use it, and how you can delete it.
Minimal Permission Model
We request only the Meta permissions strictly necessary for the features you activate. When you first connect, we request only the permissions required for the feature you chose to set up -- comment monitoring and messaging if you set up DM or comment automations, or publishing permissions if you set up Upload and Publish. Permissions for insights, content management, or other capabilities are never requested until you explicitly choose to enable those features. You can see exactly which permissions have been granted at any time in Settings > Connected Accounts, and you can upgrade or revoke permissions individually. This gives you complete control over what LinkTaps can and cannot do with your accounts -- a level of granularity that most automation services do not offer.
What We Collect via Meta APIs
When you connect a Facebook Page or Instagram account to LinkTaps, and when users interact with your connected posts, our system may receive the following data:
- Public profile information -- The name, username, and profile picture of people who comment on your connected posts, as displayed publicly on their comments.
- Comment content -- The text of comments posted on your connected Facebook and Instagram posts.
- Direct message content -- The text of direct messages sent to your connected Facebook Pages and Instagram pages, used only to match the keywords you configure and trigger the auto-reply you set up. DM content is processed in real time for matching and logged to your activity audit trail; it is not retained beyond that and is never used for any other purpose.
- User ID -- A Meta-assigned, platform-scoped identifier used solely to send a direct message in response to a comment.
- Post metadata -- Captions, media URLs, thumbnails, and permalinks of posts you choose to monitor.
- Page and account identifiers -- Facebook Page IDs, Page names, Instagram account IDs, and Instagram usernames for accounts you connect.
- Engagement insights -- Post-level metrics such as likes, comments, shares, saves, reach, and impressions (only if you grant the Insights permission).
We do not collect email addresses, phone numbers, friend lists, or any private data beyond what is listed above through the Meta APIs.
How We Use Meta Platform Data
We use the data described above exclusively to:
- Detect comments on your connected posts that match keywords you configure.
- Send a direct message (via Instagram DM or Facebook Messenger) containing the reply you configured for that keyword.
- Post a public reply to a comment as a fallback if a direct message cannot be delivered.
- Generate AI-powered replies based on your knowledge base, when you enable the AI Replies feature (see Section 1.6).
- Publish content (images, videos, carousels) to your connected Facebook Pages and Instagram accounts, when you use the Upload and Publish feature.
- Display engagement insights and analytics for your connected posts, when you grant Insights permissions.
Real-time processing. When Meta sends us a webhook notification about a new comment on your connected post, it is processed in real time by a Cloudflare Worker. The Worker matches the comment against your keyword rules, sends any configured replies, and logs the activity. Comment data is not stored by the Worker itself -- it is passed to our database only for activity logging and duplicate prevention.
Profile picture fetching. When you choose to pull a profile picture from a social media platform during account setup, we fetch the publicly available profile page to extract the image URL. This is done via a Cloudflare Worker and no login credentials or private data are accessed. The fetched image is stored in Cloudflare R2 as your profile picture.
We do not use Meta Platform Data for advertising, profiling, selling, or any purpose other than providing the automation and publishing features you configure.
Storage and Retention of Meta Platform Data
| Data Type | Retention | Purpose |
|---|---|---|
| Comment IDs (dedup cache) | 7 days | Prevents duplicate replies to the same comment |
| Activity log (commenter name, comment text, reply sent, action taken) | Until you delete it | Audit trail for your automation activity |
| Post metadata (caption, media URL, permalink) | Until you deactivate or delete the post | Monitoring and rule matching |
| Keyword rules and DM rules | Until you delete them | Automation configuration |
| Connected account tokens | Until you disconnect the account | API access for automation and publishing |
| Publish job records | Until you delete them | Publishing status tracking |
You can delete all Meta Platform Data stored by LinkTaps at any time:
- In the dashboard: Go to Settings > Connected Accounts and click "Delete All Meta Data." This permanently removes all connected accounts, posts, rules, activity logs, and DM rules associated with Meta platforms.
- Disconnect individual accounts: Click "Disconnect" on any connected account in Settings to remove that account and revoke API access.
- By email: Contact support@linktaps.io to request deletion.
When you disconnect an account or delete Meta data, we also attempt to revoke API permissions on Meta's side. For accounts connected via Facebook Login for Business, you may also need to remove the app from Business Suite > Settings > Integrations > Connected Apps.
1.6 AI-Powered Replies and Third-Party AI Processing
When you enable the AI Replies feature, comment text and commenter context from your connected posts may be sent to a third-party AI provider (OpenRouter) for processing. This is used solely to generate a relevant reply based on the knowledge base you configure.
- What is sent: The comment text, a summary of your knowledge base entries, and your custom AI instructions.
- What is NOT sent: Commenter names, user IDs, email addresses, or any personally identifiable information about the commenter.
- Provider: OpenRouter (https://openrouter.ai). See their privacy policy at https://openrouter.ai/privacy.
- Retention by provider: We do not control data retention by OpenRouter. Consult their privacy policy for details.
You can disable AI replies at any time from the AI Replies tab in the dashboard.
2. Legal Basis for Processing (GDPR)
We process your personal data under the following legal bases:
| Data Type | Legal Basis | Purpose |
|---|---|---|
| Email address, account data | Contractual necessity | To provide you with the link redirect service you requested |
| Click analytics data | Legitimate interests | To provide you with analytics about your links' performance |
| Security logs, rate limiting | Legitimate interests | To protect our service from abuse and ensure security |
| Email delivery metadata | Legal obligation | SOC 2 compliance and audit trail requirements |
| IP address (geolocation) | Legitimate interests | To provide country-level analytics for your campaigns |
| Cloudflare Web Analytics | Legitimate interests | To improve our website and service |
| Meta Platform Data (comments, posts) | Contractual necessity | To provide the automation features you configured |
| AI processing of comments | Contractual necessity | To generate AI-powered replies you enabled |
3. How We Use Your Information
We use the collected information for the following purposes:
3.1 Service Delivery
- Authenticate you into your account (via email-based magic links/codes)
- Create and manage your short links and campaigns
- Redirect visitors who click your links to the appropriate destination
- Provide analytics about link performance (clicks, devices, locations, etc.)
- Send transactional emails (login codes, domain verification, alerts)
3.2 Service Improvement
- Analyze aggregated usage patterns to improve our service
- Monitor service performance and reliability
- Troubleshoot technical issues
3.3 Security and Compliance
- Prevent fraud, abuse, and unauthorized access
- Enforce our Terms of Service
- Comply with legal obligations (SOC 2, GDPR, etc.)
- Maintain audit logs for security incidents
3.4 Communication
- Send you important service notifications (domain SSL certificate expiration, account disconnection alerts, etc.)
- Send transactional usage notifications:
- Respond to your support requests and feedback
- Send occasional product updates (you can opt out)
4. Data Retention
We retain your personal data only as long as necessary for the purposes outlined in this policy:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account information | Until account deletion | Service provision |
| Campaign/link data | Until you delete the campaign or account | Service provision |
| Click analytics | Indefinitely (aggregated) | Analytics and service improvement |
| Click identifiers (clickid) | Stored with click analytics, deleted with campaign/account | Used only for analytics accuracy, not for cross-session tracking |
| Email audit metadata | 7 years | SOC 2 compliance, legal requirements |
| Security logs | 90 days | Security monitoring and incident response |
| Rate limit counters | 1-24 hours (rolling windows) | Abuse prevention |
| Session cookies | 7 days or logout | Authentication |
| Inactive accounts | May be deleted after 2 years of inactivity | Data minimization |
| Meta automation activity logs | Until you delete via Settings | Audit trail |
| Meta comment dedup cache | 7 days | Duplicate prevention |
| Connected Meta account data | Until you disconnect the account | API access |
5. Data Sharing and Disclosure
We do NOT sell your personal data to third parties.
We may share your information only in the following limited circumstances:
5.1 Service Providers (Data Processors)
We use the following third-party service providers who process data on our behalf:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Convex | Database hosting | All account and campaign data | United States |
| Amazon Web Services (AWS SES) | Email delivery | Email addresses, metadata | United States |
| Cloudflare | Web analytics, CDN, DDoS protection | IP addresses, browsing data | Global |
| Cloudflare Workers | Real-time webhook processing, profile picture scraping | Meta webhook payloads (comment text, user IDs), public profile URLs | Global |
| Fly.io | Application hosting | HTTP request data | United States |
| Cloudflare R2 | Media file storage | Uploaded images and videos | Global |
| OpenRouter | AI reply generation | Comment text, knowledge base context (no PII) | United States |
| Stripe | Payment processing for Pro subscriptions | Email, billing details (Stripe handles card data directly -- we never see or store it) | United States |
5.2 Legal Requirements
We may disclose your information if required by law, such as:
- In response to valid legal process (subpoena, court order)
- To protect our rights, property, or safety
- To prevent fraud or security threats
- To comply with regulatory obligations
5.3 Business Transfers
If LinkTaps is involved in a merger, acquisition, or sale of assets, your data may be transferred. You will be notified of any such change.
6. International Data Transfers
LinkTaps is operated from the United States. If you access our service from outside the United States, your data will be transferred to and processed in the United States.
For users in the European Economic Area (EEA), United Kingdom, or Switzerland:
- We rely on adequacy decisions, Standard Contractual Clauses (SCCs), or other legally recognized transfer mechanisms
- Our service providers (AWS, Cloudflare, Convex) comply with GDPR requirements
7. Your Rights Under GDPR
If you are located in the EEA, UK, or Switzerland, you have the following rights:
7.1 Right to Access
You can request a copy of the personal data we hold about you.7.2 Right to Rectification
You can request correction of inaccurate or incomplete data.7.3 Right to Erasure ("Right to be Forgotten")
You can request deletion of your personal data by:- Deleting your account through the dashboard
- Emailing us at support@linktaps.io
If you have an active Pro subscription, deleting your account will automatically cancel it via Stripe — no further charges will be made. Subscription fees and overage already incurred are not refunded.
Note: Some data may be retained for legal compliance (e.g., email audit logs for SOC 2; Stripe's own records of past transactions per their own retention policy).
7.4 Right to Restriction of Processing
You can request that we limit how we use your data in certain circumstances.7.5 Right to Data Portability
You can request a machine-readable copy of your data to transfer to another service.7.6 Right to Object
You can object to processing based on legitimate interests (such as analytics).7.7 Right to Withdraw Consent
Where we rely on consent, you can withdraw it at any time (though this doesn't apply to most of our processing, which is based on contract or legitimate interests).7.8 Right to Lodge a Complaint
You can file a complaint with your local data protection authority (DPA) if you believe we have violated GDPR.To exercise any of these rights, contact us at: support@linktaps.io
We will respond to your request within 30 days.
8. Security Measures
We implement industry-standard security measures to protect your data:
Technical Measures:
- Encryption in transit: All data transmitted over HTTPS (TLS 1.2+)
- Encryption at rest: Database encryption via Convex
- Secure session management: HttpOnly, Secure, SameSite cookies
- Rate limiting: Protection against brute force and abuse
- Account lockouts: Automatic lockout after 10 failed login attempts (24 hours)
- Email bounce tracking: Prevents sending to invalid/bounced addresses
- Security logging: Comprehensive audit trail of security events
Organizational Measures:
- Privacy by design and by default
- Metadata-only email logging (no sensitive content stored)
- Minimal data collection principle
- Regular security monitoring
- Access controls and authentication
However, no system is 100% secure. If you discover a security vulnerability, please report it to support@linktaps.io.
9. Children's Privacy
LinkTaps is not intended for children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal data from children. If we learn that we have collected data from a child without parental consent, we will delete it immediately.
If you believe a child has provided us with personal data, please contact us at support@linktaps.io.
10. Do Not Track (DNT)
Some browsers offer a "Do Not Track" (DNT) signal. Because there is no industry standard for DNT, we do not currently respond to DNT signals. However, we already minimize tracking by:
- Using only essential cookies
- Using cookie-less analytics (Cloudflare Web Analytics)
- Not using third-party advertising or tracking scripts
11. California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to Know: What personal information we collect, use, and share
- Right to Delete: Request deletion of your personal information
- Right to Opt-Out: We do not sell personal information, so this right is not applicable
- Right to Non-Discrimination: We will not discriminate against you for exercising your rights
To exercise these rights, contact us at support@linktaps.io.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will:
- Update the "Last Updated" date at the top of this policy
- Notify you via email (to the address on file)
- Provide prominent notice on our website
Continued use of our service after changes constitute acceptance of the updated policy.
13. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Email: support@linktaps.io
Mailing address: OutdoorSavannah LLC, Ramsey County, Minnesota, United States
Data Protection Inquiries: For GDPR-specific requests, please include "GDPR Request" in the subject line.
14. Key Takeaways (Summary)
For your convenience, here's a summary of our privacy-first approach:
Thank you for trusting LinkTaps with your link management needs.