Effective date: November 1, 2025
This Privacy Policy explains how LinkTransform LTD (“LinkTransform,” “we,” “us,” or “our”) collects, uses, discloses, and safeguards personal information when you use our QR code, URL shortening, file hosting, BioPage/link‑in‑bio, custom domain, API, webhooks, team/workspaces, and analytics services (the “Services”). We are established in South Africa and align our practices with the Protection of Personal Information Act, 2013 (POPIA).
By using the Services, you acknowledge this Privacy Policy. If you do not agree, do not use the Services.
Scope and roles under POPIA
LinkTransform acts as a POPIA “Responsible Party” for personal information we collect about account users and visitors.
When you use our Services to process personal information about your own end users (e.g., in links, QR codes, files, BioPages, API/webhooks), you are the Responsible Party for that data and LinkTransform acts as your “Operator” processing it on your instructions.
Information we collect
Account and profile data: name, email address, password (hashed and salted).
Billing and payments: handled by Stripe. We receive payment status, plan, invoices, tax details, and Stripe customer IDs/tokens. We do not store card numbers or CVV.
Service content and metadata:
Destination URLs, titles, tags, UTM parameters.
QR code images and settings.
Files you upload (e.g., images, PDFs, videos) and file metadata (filename, size, type, hash).
Custom domains and DNS records required to provision your domain.
Workspace/team membership, roles, and invitations.
Usage, events, and diagnostics:
IP address, approximate geolocation derived from IP, user agent, device/OS/browser data, referring URL, timestamps, session identifiers, API usage, webhook delivery logs.
Link clicks and QR scans (counts, timing, referrer/UA/IP context).
Cookies and similar technologies:
Essential cookies for authentication, session management, and security.
Analytics cookies/scripts via PostHog, Google Analytics, and Microsoft Clarity to understand product usage and improve performance.
Safety checks:
We query Google Safe Browsing/Web Risk for malicious or phishing destinations. We do not otherwise scan content for malware, copyright, or policy violations.
Please do not upload special categories of personal information (e.g., health, biometric) or regulated financial identifiers to files, links, or BioPages.
How we use information
We process personal information to:
Provide and operate the Services, including hosting links, QR codes, files, BioPages, custom domains, API/webhooks, and analytics.
Authenticate users, secure accounts, prevent fraud/abuse, and ensure service integrity.
Measure and improve performance, features, and usability (product analytics, debugging).
Communicate service notices, onboarding, billing, and support responses.
Comply with legal obligations and enforce terms.
POPIA processing justifications
We process personal information under POPIA where reasonably necessary to:
Conclude or perform a contract with you for the Services.
Comply with the law (e.g., tax, security obligations).
Pursue our legitimate interests in operating, securing, and improving the Services, balanced against your rights and expectations.
Obtain consent where required (e.g., if you choose to make content public). You may withdraw consent at any time, which will not affect prior processing.
When acting as your Operator, we process only on your documented instructions, subject to this Policy and our terms.
Public vs. private content
You can mark links, files, and BioPages as public, private, or unlisted.
Public content may be indexed by search engines and copied by third parties. We cannot control third‑party caching or archiving.
Changing a public item to private may not remove copies from third‑party caches.
Cookies and analytics
Essential cookies run by default for login and security.
We use PostHog, Google Analytics, and Microsoft Clarity to understand usage and improve the product. These tools may set cookies and collect IP address, user agent, referrer, and on‑site interactions. We configure reasonable safeguards to avoid capturing passwords or payment data within session recordings.
You can manage cookies via your browser settings. Blocking cookies may affect functionality.
We do not use advertising or retargeting pixels and do not sell personal information.
Payments
Stripe processes all payments. We receive billing status and tokens from Stripe and do not store cardholder data on our systems. Stripe’s PCI DSS compliance covers card processing.
Sharing and disclosures
We do not sell your personal information. We disclose information only as needed:
Service providers (Operators): infrastructure and tools used to deliver the Services, including:
Hosting and storage: Hostinger (US), Cloudflare R2 (EU), Cloudflare DNS/CDN.
Analytics and telemetry: PostHog, Google Analytics, Microsoft Clarity.
Communications and support: email service providers and helpdesk tools (as applicable).
Payments: Stripe.
Safety and compliance: to comply with laws, legal process, or enforce our terms, or to protect rights, safety, and security.
Business transactions: in a merger, acquisition, financing, or sale of assets, personal information may be transferred, subject to confidentiality commitments.
We require Operators to process personal information only to provide contracted services and to protect it appropriately.
International transfers
We store and process data in multiple countries, including South Africa, the United States (e.g., Hostinger, Stripe), and the European Union (e.g., Cloudflare R2). Under POPIA section 72, we transfer personal information cross‑border where:
The recipient is subject to a law, binding corporate rules, or agreements that provide an adequate level of protection.
The transfer is necessary for performance of our contract with you or for your benefit.
You have consented by using features that require global delivery (e.g., public links on a global CDN).
By using the Services, you understand your information may be processed in these jurisdictions.
Security
We use TLS encryption in transit and provider‑level encryption at rest where available.
We maintain access controls and basic login auditing, including IP logging.
We do not currently hold SOC 2/ISO 27001 attestations.
No security controls are perfect. You are responsible for choosing appropriate privacy settings, protecting your credentials, and avoiding uploads of sensitive data.
Data retention and deletion
Default retention: We retain logs, analytics events, link/QR scan data, and related telemetry for approximately 365 days.
Content you create (links, files, QR codes, BioPages) remains until you delete it or close your account.
Backups: We take daily backups of our database and site. Deleted data may persist in backups for a limited rotation period and is not restored except for disaster recovery. We cannot delete individual records from backups.
Post‑deletion analytics: When you delete a link/file, we do not retain associated analytics in de‑identified form.
Account closure: Upon verified request, we will delete or de‑identify your personal information within a reasonable time, subject to legal retention requirements and backup rotation.
Your rights under POPIA
Subject to limitations and verification, you may:
Access your personal information and request a copy.
Request correction or deletion.
Object to or request restriction of processing where permitted by law.
Withdraw consent where processing is based on consent.
Lodge a complaint with the Information Regulator (South Africa).
To exercise rights, contact support@linktransform.com. We may request information to verify your identity and will respond within a reasonable period. Certain information may be retained as required by law or for the establishment, exercise, or defense of legal claims.
Operator obligations when you process others’ data
If you use the Services to process personal information of third parties (e.g., your customers):
You act as the Responsible Party and must ensure a lawful basis, provide required notices, and honor data subject rights.
We act as your Operator and will:
Process only on your instructions and provide reasonable assistance with security and breach notifications.
Implement appropriate safeguards aligned to the Services described here.
Ensure personnel confidentiality and restrict subprocessing to providers needed to operate the Services.
Delete or return personal information upon termination or your instruction, subject to backup rotation and legal requirements.
Do not use the Services to process special categories or children’s data unless you have ensured appropriate protections and that the Services are suitable for such data.
Children
The Services are intended for business and adult users. You must be at least 18 to create an account. We do not knowingly collect personal information from children. If you believe a child has provided personal information, contact us to request deletion.
Law enforcement and government requests
We require valid legal process before disclosing customer information, except in emergencies involving danger of death or serious physical harm.
We will attempt to notify affected customers before disclosure unless legally prohibited or where notification would be futile or dangerous.
We minimize disclosures to what is legally required.
Data breaches
If we become aware of a security compromise likely to result in a real risk of harm, we will take steps required by POPIA, including notifying the Information Regulator and affected individuals as soon as reasonably possible, providing information about the breach and our remediation.
Third‑party services and links
Our Services may link to third‑party sites or host user‑supplied content. We are not responsible for third‑party privacy practices or content safety. Exercise caution when following links or downloading files hosted by users.
Changes to this Policy
We may update this Policy from time to time. Material changes will be indicated by updating the “Effective date.” Continued use of the Services after changes constitutes acceptance.
Contact
Email: support@linktransform.com
Information Officer: You may contact our Information Officer via the email above.
If you submit a privacy request, include your account email, a description of your request, and proof of identity sufficient for verification.
Definitions (plain‑language)
“Personal information” has the meaning in POPIA and includes information that identifies or can reasonably identify a person.
“Processing” means any operation on personal information (collecting, storing, using, disclosing, etc.).
“Responsible Party” is the person or body that determines the purpose and means of processing.
“Operator” is a person or body that processes personal information for a Responsible Party in terms of a contract or mandate.