Privacy Policy

Last updated: March 26, 2026

This policy explains what data Zebra Link collects, why we collect it, and what we do with it. We comply with the EU General Data Protection Regulation (GDPR) and Danish data protection law.

What We Collect

Account Data

When you sign up, we store:

  • Your email address
  • Your password (encrypted — we never see or store it in plain text)
  • OAuth provider info (if you sign in via a third-party account)
  • When your account was created
  • Language and locale preferences

Link Data

When you create links, we store:

  • The destination URL
  • The link code
  • Custom domains you connect (if any)
  • Any titles or metadata you add
  • When the link was created or last updated

Analytics Data

When someone clicks one of your links, we collect privacy-focused analytics:

  • When the click happened
  • Browser type and version
  • Operating system
  • Device type (mobile, desktop, tablet)
  • Approximate location (country and city, derived from IP address)
  • Referring website (if any)
  • A one-way hash of the IP address (SHA-256 — irreversible)

About location accuracy:Location data is resolved automatically at the infrastructure level — the visitor's IP address is converted to an approximate geographic location by our edge provider as part of the request, then immediately normalized and cryptographically hashed. The raw IP address is never stored, never logged, and never seen by a human. It exists only in memory for the duration of a single request, then it's gone. Only the irreversible hash and the resulting country/city data are retained.

Country-level data is generally reliable. City-level data is not — and you should treat it as a rough estimate rather than fact. Modern privacy technologies like Apple's iCloud Private Relay, VPNs, corporate proxies, and mobile carrier NAT routinely mask or relocate the apparent origin of web traffic. A visitor physically in one city may easily show up as being in another.

This is a deliberate trade-off. We chose not to use invasive techniques like browser fingerprinting or client-side geolocation prompts that could provide more precise results. We think respecting visitor privacy is more important than pinpoint accuracy. The analytics we provide are a directional tool — useful for spotting broad geographic trends, not for drawing precise conclusions about where individual clicks came from.

About device and browser data:Device type, browser, and OS are parsed from the visitor's user agent string. This is generally reliable but not perfect — some browsers report misleading user agent strings for compatibility, and browser vendors are increasingly reducing the information they expose. Treat device analytics as directionally useful.

Payment Data

Payments are handled by Stripe. On our end, we store:

  • Your Stripe customer ID
  • Subscription status and plan tier
  • Subscription start and end dates
  • Currency preference

We never see or store your credit card number. Stripe handles all payment details under PCI-DSS standards.

Technical Data

We automatically collect:

  • Browser locale and time zone
  • Theme preference (light or dark mode)
  • Usage patterns for performance optimization

Why We Process Your Data

We have a legal basis for everything we do with your data:

  • Contractual necessity: We need your data to provide the link management service you signed up for
  • Legitimate interests: Improving performance, preventing abuse, and providing analytics
  • Consent: For optional things like marketing emails (only if you opt in)
  • Legal obligations: Tax, accounting, and regulatory compliance

How We Use Your Data

  • Running and maintaining the link management service
  • Authenticating you and managing your account
  • Processing payments and managing subscriptions
  • Providing analytics on how your links perform
  • Sending transactional emails (verification, password resets, billing)
  • Detecting and preventing abuse, fraud, and security issues
  • Improving the service and user experience
  • Meeting legal obligations

Who We Share Data With

Only the service providers we need to run the platform:

  • Convex — database and backend infrastructure
  • Vercel — hosting and edge functions
  • Stripe — payment processing
  • Resend — transactional email delivery
  • Upstash — caching infrastructure

All of these providers offer EU-based data centers, are GDPR-compliant, and operate under appropriate safeguards including Standard Contractual Clauses (SCCs).

We never sell your data. We never share it with advertisers.

How Long We Keep Your Data

  • Account data: Until you delete your account, plus 30 days for backup recovery
  • Link and analytics data: Until you delete your links or your account
  • Payment records: As long as tax and accounting regulations require
  • Auth logs: 90 days, for security purposes

After deletion, data may linger in backups for up to 30 days before it's permanently removed.

Your Rights Under GDPR

You have the right to:

  • Access — get a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure — delete your account and data
  • Portability — export your data in a structured format
  • Restriction — limit how we process your data
  • Objection — object to processing based on legitimate interests
  • Withdraw consent — for anything you opted into

You can exercise most of these directly in your account settings. Account deletion is available there too. For anything else, contact us through support.

You can also file a complaint with your local data protection authority. In Denmark, that's Datatilsynet.

Cookies

We use essential cookies only — no third-party trackers, no ad cookies:

  • Authentication cookies — to keep you logged in
  • Preference cookies — to remember your theme and locale

These are strictly necessary for the service to work and don't require consent under GDPR.

Security

We take reasonable measures to protect your data:

  • Encryption in transit (TLS/HTTPS) and at rest
  • Industry-standard password hashing
  • IP addresses hashed before storage (SHA-256)
  • Access controls and authentication
  • Regular security updates and monitoring
  • Encrypted automated backups

No system is perfectly secure. Keep your login credentials safe.

International Data Transfers

If any of your data is processed outside the EU/EEA, those transfers are protected by:

  • EU Commission-approved Standard Contractual Clauses (SCCs)
  • Our providers' GDPR compliance commitments
  • Appropriate technical and organizational safeguards

Children

This service isn't for anyone under 16. We don't knowingly collect data from children. If you think a child has given us personal data, let us know and we'll remove it.

Changes to This Policy

We may update this policy as our practices or legal requirements change. If we make material changes, we'll notify you by email or in-app notification. Continued use after a change means you accept the updated policy.

Data Controller

Zebra Linkis operated from Denmark. We're responsible for your personal data. You can reach the data controller at privacy@zeblink.io

Contact

For privacy questions, data requests, or to exercise your rights: contact us.

For data protection matters, you can also contact the Danish Data Protection Agency (Datatilsynet) at datatilsynet.dk.