⚠ Legal review required

This is a template generated for the operator and must be reviewed by a qualified lawyer before launch. It is provided as a starting point only and does not constitute legal advice.

Privacy Policy

Last updated: 2 July 2026

1. Data Controller

The data controller responsible for processing your personal data is:

Franciszek Kaminski
Sole proprietor (Einzelunternehmer)
Germany
Email: support@ultralink.bio

For all data protection enquiries, including the exercise of your data subject rights, please contact us at the email address above.

2. Personal Data We Collect

We collect the following categories of personal data:

  • Account data: Your email address, display name, and — if you register via Google OAuth — your Google profile name and profile picture URL.
  • Link page content: The links, text, images, and configuration you choose to publish on your Ultralink page. This content is stored by us to operate the service.
  • Usage analytics: Aggregated and per-link click counts, referring social platforms, approximate geographic location derived from IP address (country level), device type (mobile/desktop), and browser type.
  • IP address: Temporarily recorded for security, rate-limiting, fraud prevention, and for deriving country-level geo-data used in your analytics dashboard. Not stored long-term beyond what is necessary for these purposes.
  • Cookies and session data: Session tokens and authentication cookies are used to keep you logged in. See Section 8 for details.
  • Billing data: Payment processing is handled by Stripe. We do not store your full credit card number. We receive and retain limited transaction metadata (plan purchased, amount, date, Stripe customer ID) to manage your subscription.
  • Support communications: If you contact us by email, we retain those communications to resolve your request.

3. Legal Bases for Processing

We process personal data on the following legal bases under the GDPR:

  • Contract (Art. 6(1)(b) GDPR): Processing necessary to provide the Ultralink service you signed up for — account management, delivering link pages, processing subscription payments.
  • Legitimate interests (Art. 6(1)(f) GDPR): Analytics to improve the service, security and fraud prevention, communicating service-critical updates.
  • Consent (Art. 6(1)(a) GDPR): Where we explicitly ask for consent — for example, for non-essential cookies or optional marketing communications. You may withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c) GDPR): Retention of invoices and transaction records as required by German commercial and tax law.

4. Sub-processors

We use the following third-party sub-processors to operate the service. Each has been selected for compliance with GDPR and appropriate security standards:

ProcessorPurposeLocation
Supabase, Inc.Database storage and authenticationUSA (SCCs)
Stripe, Inc.Payment processing and subscription managementUSA (SCCs)
Resend, Inc.Transactional email deliveryUSA (SCCs)
Vercel, Inc.Cloud hosting and infrastructureUSA (SCCs)
Google LLCOAuth authentication (sign-in with Google)USA (SCCs)

SCCs = EU Standard Contractual Clauses, providing an adequate legal mechanism for international transfers under GDPR Chapter V.

5. International Data Transfers

As shown in Section 4, some of our sub-processors are based in the United States. These transfers are conducted under Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring an adequate level of data protection. You may request a copy of the applicable SCCs by contacting us at support@ultralink.bio.

6. Your Rights Under GDPR

As a data subject in the EU/EEA, you have the following rights:

  • Right of access (Art. 15): Request a copy of your personal data that we hold.
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interests.
  • Right to restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint: You have the right to complain to the competent supervisory authority. In Germany, this is the relevant Landesbeauftragter für den Datenschutz. You can also contact the European Data Protection Board (EDPB).

To exercise any of these rights, email us at support@ultralink.bio. We will respond within 30 days.

7. Data Retention

  • Account data is retained for the duration of your account and deleted within 30 days of account deletion request, except where legal retention obligations apply.
  • Analytics data (aggregated click data) is retained for up to 24 months and then deleted.
  • Transaction and invoice records are retained for 10 years as required by German commercial law (§ 257 HGB) and tax law (§ 147 AO).
  • Support communications are retained for up to 3 years after resolution.

8. Cookies

We use the following types of cookies:

  • Strictly necessary cookies: Session and authentication tokens issued by Supabase to keep you logged in. These cannot be disabled without breaking the service. No consent is required under GDPR for strictly necessary cookies.
  • No tracking or advertising cookies: We do not use third-party advertising cookies, social media tracking pixels, or behavioural profiling.

9. Children's Privacy

Ultralink is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to you by email or by a prominent notice on the service. The “Last updated” date at the top of this page reflects the date of the most recent revision. Continued use of the service after changes take effect constitutes acceptance of the updated policy.

11. Contact

For any data protection questions, requests, or complaints, contact us at: support@ultralink.bio