Privacy Policy

Preamble

Liink ("we", "our", "us") operates a B2B SaaS platform for jewelry brands and manufacturers. This Privacy Policy explains how we collect, use, retain and protect personal data of our users, in accordance with EU Regulation 2016/679 (GDPR) and the French Data Protection Act. By using Liink, you accept the processing operations described below.

1. Controller

The data controller is Liink, currently being incorporated. Contact via the website's Contact page. Our Data Protection Officer (DPO) is reachable at privacy@liink.ink. For any data-related request, see the "Your rights" section below.

2. Data we collect

Depending on your usage, we collect the following categories of data:

• Identification data: first/last name, email, phone, profile picture (optional).
• Business data: company name, position, VAT number, billing address.
• Authentication data: hashed password (never plain text), 2FA factors (TOTP/OTP), API tokens.
• Business data: orders, items, manufacturing records, stock movements, police book entries, gold accounts, invoices, quotes. Some of this data may include third-party information (your brand's end clients, external counterparties).
• Technical data: IP address, browser type, pages visited, error logs, performance metrics.
• Payment data: we never store complete payment details. Payments are processed by Stripe (see "Subprocessors").

3. Purposes of processing

Your data is processed for the following purposes:

• Provide and maintain the service (account management, feature access, user support).
• Manage subscriptions and billing (via Stripe).
• Communicate with you (transactional notifications, alerts, support).
• Improve the service (anonymized analytics, bug detection, performance optimization).
• Comply with legal and regulatory obligations (police book art. 537 CGI, accounting, invoice retention).
• Prevent and detect fraud, abuse and security incidents.

4. Legal basis (GDPR art. 6)

Each purpose relies on a specific legal basis:

• Contract performance (art. 6.1.b): user account, subscription, service delivery.
• Legal obligation (art. 6.1.c): police book, invoice retention (10 years), accounting.
• Legitimate interest (art. 6.1.f): fraud prevention, application security (logs), anonymized product improvement. You can object at any time.
• Consent (art. 6.1.a): analytics cookies (PostHog, Google Analytics), marketing emails, optional communications. You can withdraw consent at any time via the cookie banner or your account settings.

5. Retention period

Retention periods match each purpose:

• User account: throughout your subscription, then 3 years after end of contract (civil prescription).
• Billing data: 10 years from issuance (French Commercial Code art. L123-22).
• Police book: 6 years after last entry (CGI art. 537). Entries are immutable and hash-chained (SHA-256).
• Error and security logs: 12 months max, anonymized beyond.
• Analytics cookies: 13 months max (CNIL recommendation).
• Authentication tokens: 7 days (session cookie), revocable any time by logging out.

6. Subprocessors and recipients

We use the following subprocessors, all bound by GDPR art. 28 compliant agreements:

• Vercel Inc. (USA) — application hosting, CDN, serverless functions. Data processed in EU region (fra1). EU Standard Contractual Clauses + Data Privacy Framework.
• Neon Inc. (USA) — PostgreSQL database hosting. EU Frankfurt region. Data encrypted at rest.
• Stripe Payments Europe Ltd (Ireland) — payment and subscription processing. PCI-DSS Level 1 compliant. Liink never receives full card numbers.
• Resend Inc. (USA) — transactional emails (notifications, verification). EU Standard Contractual Clauses.
• Upstash Inc. (USA) — Redis for rate-limiting. No personal data stored (only anonymized counters).
• PostHog Inc. (EU region) — product analytics, CNIL opt-in. IP anonymization enabled.
• Sentry Inc. (USA) — application observability. PII scrubber configured on Liink side to remove emails, names, addresses before transmission. Legitimate interest.
• Inngest Inc. (USA) — async job orchestration (deferred email sending, cron audits). No business data stored.

7. Cookies and trackers

Liink uses three categories of cookies: necessary (authentication, CSRF security, consent preferences — always on as indispensable to the service), analytics (PostHog, Google Analytics — subject to your explicit consent via the banner), and marketing (currently unused, reserved for future use). You can change your preferences anytime via the cookie banner or by clearing browser cookies. Analytics cookies last 13 months max per CNIL recommendation.

8. Your rights

Under GDPR, you have the following rights on your personal data:

• Right of access (art. 15): obtain a copy of your data.
• Right of rectification (art. 16): correct inaccurate or incomplete data. Accessible directly via account settings.
• Right to erasure (art. 17): request deletion of your data. Note: police book entries are retained for 6 years (legal obligation). Your account will be anonymized rather than hard-deleted to preserve the integrity of the legal hash chain.
• Right to restriction (art. 18): temporarily freeze processing.
• Right to data portability (art. 20): receive your data in a structured, machine-readable format (JSON export).
• Right to object (art. 21): object to processing based on legitimate interest (logs, product improvement).
• Right to withdraw consent at any time (art. 7.3): without effect on the lawfulness of prior processing.
• Right to define post-mortem directives (French Data Protection Act).

9. Security

We implement the following technical and organizational security measures: TLS 1.3 encryption on all routes, database encryption at rest (AES-256), hashed passwords (Argon2/bcrypt), optional 2FA (TOTP/OTP email), nonce-based Content Security Policy, strict separation of application layers, weekly police book hash chain integrity audit, distributed rate-limiting, error monitoring (Sentry) with automatic PII scrubbing, daily database backups (7-day retention).

10. Transfers outside the EU

Some subprocessors are based outside the European Union (Vercel, Stripe, Resend, Sentry, Upstash, Inngest in the USA). These transfers are framed by EU Standard Contractual Clauses adopted by the European Commission and, where available, by the subprocessor's adherence to the EU-USA Data Privacy Framework. You can obtain a copy of these safeguards by contacting privacy@liink.ink.

11. Minors

Liink is a B2B service intended for jewelry professionals. We do not knowingly collect data about persons under 16. If you believe a minor has provided us with data, contact privacy@liink.ink and we will delete it without delay.

12. Changes to this policy

We may update this policy to reflect technical, legal or service evolutions. The last update date appears at the top of the page. For substantial changes (new major subprocessor, new purpose, changes to retention periods), we will notify you by email at least 30 days before entry into force.

13. Contact and CNIL complaints

For any data-related question or to exercise your rights: privacy@liink.ink. We commit to responding within 30 days (GDPR art. 12). You also have the right to lodge a complaint with the French Data Protection Authority (CNIL): 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, www.cnil.fr.