LinkStacked

Part 04

GDPR & Privacy Rights

Your comprehensive guide to data protection rights under the GDPR — who controls your data, why we process it, and exactly how to exercise every right.

Last updated: June 6, 2026Effective: June 6, 2026Operator: Devpitch UG (haftungsbeschränkt)
01

Who this applies to

This GDPR supplement applies to individuals located in the European Economic Area (EEA), United Kingdom, or Switzerland who use LinkStacked — including account holders, profile visitors, and people whose data may have been shared with us by a creator (e.g. a product buyer or email subscriber).

If you are in California, USA, please also see our California Privacy Notice (CCPA).

02

Data controller

Devpitch UG (haftungsbeschränkt)

Tucholskystraße 51, 10117 Berlin, Germany

HRB 266731 B · Amtsgericht Charlottenburg

GDPR / EU privacy contact: eu-privacy@linkstacked.com

Where creators use LinkStacked to process data about their own visitors (e.g. email captures, pixel tracking), the creator acts as a separate data controller for that data. LinkStacked acts as a data processor on their behalf.

03

Lawful bases for processing

The GDPR requires that every processing activity has a documented lawful basis. Here is how each of our core activities maps to a lawful basis:

Contract (Article 6(1)(b))

Processing that is necessary to provide the service you have signed up for:

  • Creating and maintaining your account
  • Serving your public profile to visitors
  • Processing digital product purchases and tip payments via Stripe
  • Sending transactional emails (receipts, password resets, security alerts)
  • Providing creator analytics on profile views and link clicks

Legitimate interests (Article 6(1)(f))

Processing we conduct for our legitimate business interests, balanced against your rights:

  • Fraud detection and prevention, including URL safety checks via Google Safe Browsing
  • Rate limiting and abuse prevention (Redis-backed request throttling)
  • Security monitoring and incident response
  • Aggregate, anonymised product improvement analytics
  • Moderation and enforcement of our Terms and Community Guidelines

Consent (Article 6(1)(a))

Processing that requires your explicit, freely given consent:

  • Analytics cookies (GA4) and first-party tracking beyond essential analytics
  • Marketing and retargeting cookies (third-party pixels)
  • Promotional and marketing emails
  • Optional personalisation features that require behavioural data

Legal obligation (Article 6(1)(c))

Processing required to comply with applicable law:

  • Retaining financial transaction records for 7 years under German commercial and tax law (HGB §257, AO §147)
  • Responding to valid court orders, subpoenas, or requests from law enforcement authorities
  • KYC/AML compliance for Stripe Connect seller onboarding
04

Your GDPR rights

As a data subject located in the EEA, UK, or Switzerland, you have the following rights. We will respond to all requests within 30 days (extendable to 90 days for complex requests, with notice).

Right of access (Article 15)

Request a copy of all personal data we hold about you, including a description of processing purposes, data categories, recipients, and retention periods. Most data is available immediately via Settings → Data → Export.

Right to rectification (Article 16)

Correct inaccurate or incomplete personal data. Update most information directly in your dashboard (Profile, Account, Payout settings). For data you cannot update yourself, email us.

Right to erasure — 'right to be forgotten' (Article 17)

Request deletion of your personal data. You can delete your account at Settings → Data → Danger zone. We will complete deletion within 30 days, except where we are required to retain records for legal obligations (e.g. financial records for 7 years).

Right to data portability (Article 20)

Receive your personal data in a structured, machine-readable JSON format. Go to Settings → Data → Export and download your full data package at any time.

Right to restriction of processing (Article 18)

Request that we temporarily restrict processing your data while a dispute or complaint is being resolved. During restriction, we may only store (not process) your data, except where required by law or with your consent.

Right to object (Article 21)

Object to processing based on legitimate interests at any time. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests. You can always object to marketing emails via the unsubscribe link or Settings → Notifications.

Rights related to automated decision-making (Article 22)

We do not make solely automated decisions about you that produce significant legal or similarly significant effects. All account enforcement decisions are reviewed by our team.

05

International transfers

Our primary data storage and processing infrastructure is located within the EU/EEA. Some of our sub-processors operate in the United States. We safeguard such transfers using:

  • Standard Contractual Clauses (SCCs) — European Commission-approved clauses incorporated into Data Processing Agreements with each US sub-processor.
  • EU–US Data Privacy Framework — where applicable (certain Google services, Stripe, Cloudflare, AWS).
  • Adequacy decisions — for transfers to countries with an EU adequacy decision (e.g. UK, Switzerland, New Zealand).

A list of all sub-processors including their data locations is available on our Sub-processors & Data Transfers page. A copy of our SCCs is available on request at eu-privacy@linkstacked.com.

06

Supervisory authority

You have the right to lodge a complaint with your local data protection supervisory authority. As we are based in Germany, our lead supervisory authority under the GDPR is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit

Friedrichstraße 219 · 10969 Berlin · Germany

datenschutz-berlin.de

EU residents may also contact the supervisory authority in their country of residence. UK residents can contact the ICO at ico.org.uk.

07

How to exercise your rights

You can exercise most rights directly in your account dashboard:

  • Settings → Profile to update your name, username, bio, and photo
  • Settings → Account to change email, password, and connected social accounts
  • Settings → Notifications to manage email marketing preferences
  • Settings → Security to enable 2FA, view login history, and revoke sessions
  • Settings → Data → Export to download your full data in JSON format
  • Settings → Data → Danger zone to permanently delete your account

For rights that cannot be exercised via the dashboard (restriction, portability in a specific format, complex erasure requests), email us at privacy@linkstacked.com with the subject line "GDPR Rights Request" and your username or account email.

We will respond within 30 days. For complex requests, we may extend this to 90 days and will notify you of the extension within the first 30 days. We may need to verify your identity before processing sensitive requests.

Questions about this policy?

Contact our legal team at legal@linkstacked.com or privacy@linkstacked.com for data matters. We respond within 5 business days.

All policies