Privacy Policy
Last updated: July 14, 2026
Tolinks is a link-in-bio platform: you build one public page that gathers your links, social profiles, and content behind a short username. This policy explains what we collect when you use Tolinks, why we collect it, who we share it with, and the rights you have over your data. We wrote it for people, not for a compliance binder — if anything is unclear, email privacy@tolinks.in.
When we make a material change to this policy, we'll post the new version here with a fresh "Last updated" date and, where the law requires (for example GDPR and CCPA material changes), email you directly.
Contents
- Who we are
- What we collect
- Where it comes from
- Why we use it, and our legal basis
- Who we share it with
- International data transfers
- Cookies and similar technologies
- How long we keep it
- Your privacy rights
- Children's privacy
- How we protect your data
- Contact us
Who we are
Tolinks ("Tolinks", "we", "us", or "the Company") is the data controller for the personal data described here. Our registered office is in India; for the full registered entity name and address, contact legal@tolinks.in. We operate from https://tolinks.in (and www.tolinks.in), and your public profile lives at https://tolinks.in/[your-username].
What we collect
Account data. Email address, sign-in credentials, and the basic identity you register with (display name and chosen username). Passwords are hashed and salted by our authentication provider and are never stored or visible to us in plaintext.
Profile and content data. The information you choose to put on your page: your bio, avatar, theme and layout settings, the links and social accounts you add, featured items, and any custom page text. This content is public by design.
Usage and analytics data. When you or your visitors use Tolinks we record, per link click or page view: the link or page viewed, the referring URL, approximate location (country and, where available, city derived from your IP address — not precise GPS), device type, browser and operating system, and a timestamp. We use first-party, privacy-respecting analytics and do not build cross-site advertising profiles from this data.
Payment data. If you upgrade to a paid plan, your payment is processed by Razorpay. We receive your billing email, the plan you chose, the amount and currency, the billing cycle, and (for verification) the last four digits of your card and your billing country. We never receive, transmit, or store full card numbers, CVV, or other sensitive authentication data — Razorpay handles that under its own PCI-DSS-compliant systems.
Support and communications data. Messages you send to our support and the email address you use for product and (with consent) marketing communications.
Where it comes from
- You provide it directly when you sign up, build your profile, message support, or contact us.
- It's generated automatically as you and your visitors use the service (analytics, logs, session tokens).
- It comes from third parties in limited cases: our authentication provider (when you sign in), Razorpay (billing events), and our email provider (delivery receipts).
Why we use it, and our legal basis
| Purpose | What it covers | Legal basis (where GDPR applies) |
|---|---|---|
| Provide the service | Create your account, render your profile, process link clicks | Performance of a contract |
| Billing | Process subscriptions and renewals via Razorpay | Performance of a contract; legal obligation (tax records) |
| Security & fraud prevention | Detect abuse, keep accounts safe, maintain logs | Legitimate interests |
| Product analytics | Understand feature usage and improve Tolinks | Legitimate interests |
| Marketing email | Send product news you opted into | Consent |
| Non-essential cookies | Preferences and analytics beyond what's strictly required | Consent |
Who we share it with
We don't sell your personal data, and we don't share it except with vetted processors who help us run Tolinks:
- Firebase / Google — authentication, database, and file storage for avatars and media.
- Razorpay — subscription billing and payment processing.
- Brevo — sending transactional and (with consent) marketing email.
- Cloudflare — hosting, content delivery (CDN), and media storage (R2).
Each acts on our instructions under a written data-processing agreement. We may also disclose data where required by law (for example a valid court order) or to protect the rights, safety, and security of Tolinks and our users.
International data transfers
Because we use providers such as Firebase, Cloudflare, and Razorpay, your data may be processed outside India — including in the United States and the European Union. Where data of EU/UK users is transferred, we rely on the recipient's certified safeguards (such as Standard Contractual Clauses or an adequacy mechanism) or the safeguards those providers publish. If you're an EU/UK user and we're required to name an EU representative, we'll publish their details on this page.
Cookies and similar technologies
We use a small set of cookies and local storage values. Essential ones (session token, theme preference, security) are always on. Non-essential ones (analytics and marketing preferences) are loaded only after you consent through our cookie banner, as required in the EU/UK. Full detail — including how to control or delete them — is in our Cookie Policy.
How long we keep it
- Account and profile data: until you delete your account, then purged from live systems within 30 days (backups follow on their normal cycle).
- Analytics data: retained for 24 months, after which it is aggregated or anonymized.
- Payment and billing records: kept for the period Indian tax and accounting law requires — up to 8 years.
- Support messages: retained for 24 months after your ticket closes.
Your privacy rights
Depending on where you live, you can access, correct, export, or delete your data, object to or restrict certain processing, and withdraw consent at any time.
- Everyone: manage or delete most of your data from your dashboard, or email privacy@tolinks.in. Account deletion is self-serve in the dashboard.
- EU/UK (GDPR): the rights above, plus the right to lodge a complaint with your local supervisory authority.
- California (CCPA/CPRA): the right to know, delete, correct, and opt out of any "sale" or "sharing" of personal information. We do not sell or share your data for cross-context behavioral advertising, so no opt-out mechanism is required — but you can still exercise any right by emailing privacy@tolinks.in.
- India (DPDP Act 2023): the right to access, correct, and erase your data, nominate someone to exercise your rights, and reach our Grievance Officer (see Grievance Redressal).
We respond to verified requests within 30 days (or the period the applicable law sets). We may need to confirm your identity before acting.
Children's privacy
Tolinks is for people 13 and older. We don't knowingly collect data from anyone under 13. Users aged 13–17 may use Tolinks only with verifiable parental or guardian consent, and we do not serve targeted advertising or behavioral tracking to minors. If we learn an account belongs to a child under 13, we'll delete it and its data promptly.
How we protect your data
Data is encrypted in transit (TLS) and at rest through our infrastructure providers. Passwords are hashed, access is role-restricted, and we monitor for abuse. If a breach affects your personal data, we'll notify you and the relevant regulator without undue delay — and, where GDPR applies, within 72 hours of becoming aware of a high-risk incident.
Contact
Questions about this policy or a data request?
- Privacy: privacy@tolinks.in
- Grievance Officer (India): grievance@tolinks.in
- Postal: c/o Tolinks, India — contact legal@tolinks.in for the registered address.
