Privacy Policy
Last updated: 4 March 2026
1. Who We Are
LinkOwl is an attribution service for mobile app developers, operated by Sam Wild ("we", "us", "our"). We are based in the United Kingdom.
For questions about this policy or your data, contact us at hello@linkowl.app.
2. This Policy Covers Two Groups
This policy covers:
- Dashboard users — developers who sign up to linkowl.app to use our service
- End users — people who use apps that have the LinkOwl SDK installed
3. What We Collect from Dashboard Users
When you create an account and use our dashboard:
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Account creation, login, notifications | Contract |
| Password (hashed) | Authentication | Contract |
| App details (name, bundle ID, App Store URL) | Service configuration | Contract |
| Billing events | Usage tracking and invoicing | Contract |
4. What Our SDK Collects from End Users
When the LinkOwl SDK is installed in a developer's app, we collect minimal data from end users:
| Data | Purpose | How We Handle It |
|---|---|---|
| IP address | Attribution matching | Hashed server-side with daily-rotating salt. Never stored in plain text. Hash expires in 24 hours. |
| Timezone | Attribution matching | Used to improve match confidence |
| Locale | Attribution matching | Used to improve match confidence |
| Timestamp | Attribution window | When the install occurred |
We do NOT collect: device IDs (IDFA, IDFV), advertising identifiers, screen size, device model, contacts, photos, location, or any data requiring Apple's App Tracking Transparency prompt.
5. Purchase Data from Webhooks
If a developer connects RevenueCat or Superwall, we receive purchase event data via webhooks. This includes:
- Transaction ID
- App user ID (anonymous, set by the paywall provider)
- Product ID and price
- Currency and purchase timestamp
This data is used solely to attribute purchases to tracking links and calculate billing.
6. How We Use Data
- Match clicks to installs (attribution)
- Match installs to purchases (revenue attribution)
- Display analytics in the developer dashboard
- Calculate billing
- Send service-related emails (account, billing, security)
We do not sell data to third parties. We do not use data for advertising. We do not build user profiles.
7. Data Retention
- IP hashes: The daily-rotating salt means IP hashes become unmatchable after 24 hours. The hash remains in our database for attribution records but cannot be reversed to an IP address.
- Click, install, and purchase records: Retained for as long as your account is active, plus 30 days after deletion.
- Account data: Deleted within 30 days of account deletion.
- Billing records: Retained for 7 years as required by UK tax law.
8. Sub-Processors
We use the following third-party services to provide LinkOwl:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database and authentication | EU (Frankfurt) |
| Vercel | Website hosting and serverless functions | Global (CDN), primary US |
| Resend | Transactional emails | EU (Ireland) |
We will notify dashboard users by email before adding new sub-processors. If you object to a new sub-processor, you may terminate your account.
9. International Transfers
Some of our sub-processors (Vercel) process data in the United States. These transfers are protected by Standard Contractual Clauses (SCCs) as approved by the UK Information Commissioner's Office, and/or the UK adequacy regulations.
10. Your Rights (UK GDPR)
If you are a dashboard user, you have the right to:
- Access — request a copy of the data we hold about you
- Rectification — correct inaccurate data
- Erasure — request deletion of your data ("right to be forgotten")
- Portability — receive your data in a machine-readable format
- Object — object to processing based on legitimate interest
- Restrict — request we limit processing of your data
To exercise any of these rights, email hello@linkowl.app. We'll respond within 30 days.
End users should contact the app developer (our customer) directly for data requests. We will assist developers in fulfilling these requests.
11. Cookies
The linkowl.app website uses essential cookies only:
- Authentication cookies — to keep you logged in to the dashboard (httpOnly, secure)
We do not use analytics cookies, advertising cookies, or third-party tracking cookies. The LinkOwl SDK does not set any cookies on end-user devices.
12. Security
We protect your data with:
- HTTPS/TLS encryption for all data in transit
- IP addresses hashed with daily-rotating salt (never stored in plain text)
- Passwords hashed using bcrypt (via Supabase Auth)
- API keys are unique per app and can be regenerated
- Row-level security (RLS) on all database tables
- httpOnly secure cookies for authentication
13. Data Breach Notification
In the event of a data breach that affects your personal data, we will notify you and the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR.
14. Changes to This Policy
We may update this policy from time to time. We'll notify dashboard users by email of material changes. The "last updated" date at the top will always reflect the current version.
15. Complaints
If you're unhappy with how we handle your data, you can complain to the UK Information Commissioner's Office (ICO). We'd appreciate the chance to address your concerns first — email us at hello@linkowl.app.