Privacy Policy

LinkStacked is a bio link and creator commerce platform operated by Devpitch UG (haftungsbeschränkt), registered under HRB 266731 B at Amtsgericht Charlottenburg, Tucholskystraße 51, 10117 Berlin, Germany.

For privacy matters, you can reach us at privacy@linkstacked.com. For GDPR matters involving EU/UK residents, our designated contact is eu-privacy@linkstacked.com.

We use the data we collect for the following purposes, each grounded in a lawful basis:

Creators can configure certain data-processing activities that apply to their own profile visitors. LinkStacked acts as a data processor for these activities; the creator is the data controller.

We do not sell your personal data. We share it only with the following categories of recipients, all bound by data processing agreements:

• Stripe — payment processing, identity verification (Connect onboarding), and payout settlement. Stripe acts as an independent controller for its own KYC and AML obligations.
• AWS (Amazon Web Services) — cloud infrastructure, S3 file storage (profile assets and private digital product files), and database hosting.
• Cloudflare — CDN, DDoS protection, and cache purging for custom domain assets.
• Google — OAuth sign-in, Safe Browsing link-safety checks, Maps Places API (Connect onboarding address lookup), and GA4 analytics (if consent given).
• Apple — OAuth sign-in via Sign in with Apple.
• Google SMTP (via Nodemailer) — transactional email delivery (receipts, alerts, password resets).
• Mailchimp — creator-initiated email audience sync (only when creator has connected their account).
• MongoDB — database storage for all platform data.
• Redis — session caching, rate-limiting counters, and real-time data.
• Google BigQuery (optional) — aggregated analytics processing if enabled on the account.
• Legal / regulatory authorities — we may disclose data where required by law, court order, or to protect the rights and safety of the platform and its users.

For the full vendor table including data locations and transfer mechanisms, see our Sub-processors & Data Transfers page.

Devpitch UG is headquartered in Germany (EU). Several of our sub-processors are based in the United States. Where we transfer personal data from the EEA, UK, or Switzerland to the US, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• The EU–US Data Privacy Framework where applicable

All sub-processors are bound by Data Processing Agreements (DPAs) that ensure they provide at least equivalent data protection to European standards. A copy of the applicable SCCs is available on request at privacy@linkstacked.com.

• Account data is retained for as long as your account is active.
• If you delete your account, we will delete or anonymise your personal data within 30 days, except where a legal hold applies.
• Transaction records (orders, payouts, refunds) are retained for 7 years to comply with German commercial and tax law (HGB §257, AO §147).
• Moderation records (reports, enforcement actions) are retained for up to 3 years to document our compliance obligations.
• Aggregated, anonymised analytics data may be retained indefinitely — it cannot be linked back to any individual.
• Backup systems may retain copies of deleted data for up to 30 additional days before full purge.

Depending on your location, you have the following rights over your personal data. EU/UK residents can find the full GDPR detail on our GDPR page. California residents should also see our CCPA Notice.

• Access — request a copy of the personal data we hold about you. Most data is available via Settings → Data → Export.
• Correction — correct inaccurate or incomplete data directly in your dashboard.
• Deletion — delete your account at Settings → Data → Danger zone. Full deletion completes within 30 days.
• Portability — download your data in machine-readable JSON format.
• Objection — object to marketing emails via the unsubscribe link in any email, or at Settings → Notifications.
• Restriction — request restricted processing while a dispute is pending.

• All data is encrypted in transit using TLS 1.2+
• Sensitive fields (TOTP secrets, payment tokens) are encrypted at rest using AES-256
• Passwords are hashed with bcrypt (never stored in plaintext)
• JWT access tokens are short-lived (15 minutes); refresh tokens are rotated on use
• Rate limiting and bot detection protect all public API endpoints (Redis-backed)
• Google Safe Browsing checks all user-submitted URLs before they are stored
• Private product files are stored in a restricted S3 bucket and served only via signed, time-limited URLs (5-minute expiry)
• Admin accounts require two-factor authentication (enforced within a configurable grace period)

No method of electronic transmission or storage is 100% secure. We encourage you to use a strong, unique password and enable two-factor authentication in Settings → Security.

LinkStacked is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you are between 13 and 16 and located in the EU, we may require verifiable parental consent before processing your data beyond strict service necessity.

If you believe we have inadvertently collected data from a child, please contact us immediately at safety@linkstacked.com and we will delete it promptly.

We may update this Privacy Policy when we add new features, change vendors, or when the law requires it. We will notify you of material changes by email or by posting a prominent notice in your dashboard at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.

For any questions about this policy, contact us at privacy@linkstacked.com.