Privacy Policy

1.1 Interpretation

Words with initial capital letters have defined meanings under the following conditions. These definitions apply whether they appear in singular or plural form.

1.2 Definitions

For the purposes of this Privacy Policy:

• Account means a unique account created for You to access our Service or parts of our Service.
• Affiliatemeans an entity that controls, is controlled by, or is under common control with a party, where "control" means ownership of 50% or more of the shares, equity interest, or other securities entitled to vote for election of directors or other managing authority.
• Company refers to Linkrunner Private Limited, HustleHub Tech Park, Sector 2, HSR Layout, Bangalore, Karnataka 560102, India.
• Cookies are small files placed on Your computer, mobile device, or any other device by a website, containing details of Your browsing history on that website among its many uses.
• Data Controller means the natural or legal person who determines the purposes and means of the processing of personal data.
• Data Processor means a natural or legal person who processes personal data on behalf of the Data Controller.
• Data Subject means the individual to whom Personal Data relates.
• Device means any device that can access the Service such as a computer, cellphone, or digital tablet.
• EEA means the European Economic Area.
• Personal Data means any information relating to an identified or identifiable natural person.
• Service refers to the Linkrunner mobile attribution and analytics platform, including the website, dashboard, APIs, and SDK.
• Service Provider(also referred to as "Subprocessor") means any natural or legal person who processes data on behalf of the Company to facilitate the Service.
• Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself.
• Website refers to Linkrunner, accessible from https://linkrunner.io
• You means the individual accessing or using the Service, or the company or other legal entity on behalf of which such individual is accessing or using the Service.

2.1 When We Act as Data Controller

We act as a Data Controller when:

• You visit our website or use our dashboard
• You create an account with us
• You contact us for support or inquiries
• We process Your account and billing information

2.2 When We Act as Data Processor

We act as a Data Processor when:

• We process end-user attribution data on behalf of our customers
• We handle analytics data that our customers collect through our SDK
• We process any personal data as instructed by our customers under a Data Processing Agreement (DPA)

When acting as a Data Processor, our customers are the Data Controllers, and their privacy policies govern the collection and use of end-user data. We process such data only in accordance with our customers' documented instructions and applicable Data Processing Agreements.

3.1 Performance of a Contract (Article 6(1)(b))

We process data necessary to fulfill our contractual obligations to You, including:

• Creating and managing Your account
• Providing the attribution and analytics services You have subscribed to
• Processing payments and billing
• Providing customer support

3.2 Legitimate Interests (Article 6(1)(f))

We process data based on our legitimate interests, provided these interests are not overridden by Your rights and freedoms. This includes:

• Improving and optimizing our Service
• Detecting and preventing fraud or abuse
• Ensuring network and information security
• Conducting business analytics and reporting

3.3 Legal Obligation (Article 6(1)(c))

We process data when required to comply with applicable laws, regulations, or legal processes, including:

• Tax and accounting requirements
• Responding to lawful requests from public authorities
• Compliance with data protection laws

3.4 Consent (Article 6(1)(a))

Where required by law, we obtain Your consent before processing Your Personal Data for specific purposes, such as:

• Sending marketing communications
• Using non-essential cookies
• Processing special categories of data (if applicable)

You may withdraw Your consent at any time by contacting us at darshil@linkrunner.io or shreyans@linkrunner.io. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

4.1 Personal Data

When You use Our Service, We may ask You to provide Us with certain personally identifiable information that can be used to contact or identify You. This may include:

• Email address
• First name and last name
• Phone number (optional)
• Company name and job title
• Billing address
• Payment information (processed by our payment processor)

4.2 Usage Data

Usage Data is collected automatically when using the Service and may include:

• Your Device's Internet Protocol address (IP address)
• Browser type and version
• The pages of our Service that You visit
• The time and date of Your visit
• Time spent on pages
• Unique device identifiers
• Diagnostic data

When You access the Service through a mobile device, We may collect type of mobile device, mobile device unique ID, IP address of Your mobile device, mobile operating system, type of mobile Internet browser, unique device identifiers, and other diagnostic data.

4.3 Attribution and Analytics Data (Processed as Data Processor)

When our customers use our SDK in their mobile applications, we may process the following data on their behalf:

• Advertising identifiers (IDFA, GAID)
• Device information and characteristics
• App installation and event data
• Campaign attribution data
• Conversion and revenue data
• IP addresses (for geo-location purposes)

This data is processed in accordance with our customers' instructions and the applicable Data Processing Agreement.

5.1 Types of Cookies We Use

5.2 Cookie Consent

In accordance with GDPR requirements, we obtain Your consent before placing non-essential cookies on Your device. You can manage Your cookie preferences at any time through our cookie consent banner or by adjusting Your browser settings.

5.3 How to Control Cookies

You can set Your browser to refuse all cookies or indicate when a cookie is being sent. However, if You do not accept cookies, You may not be able to use some parts of our Service.

7.1 With Service Providers (Subprocessors)

We share data with third-party service providers who assist us in operating the Service. These providers are contractually bound to protect Your data and may only process it for specified purposes.

Our current Subprocessors include:

We maintain an up-to-date list of subprocessors and will notify customers of any changes as required by our Data Processing Agreements.

7.2 For Business Transfers

If the Company is involved in a merger, acquisition, or asset sale, Your Personal Data may be transferred. We will provide notice before Your Personal Data is transferred and becomes subject to a different Privacy Policy.

7.3 With Affiliates

We may share Your information with Our affiliates, in which case we will require those affiliates to honor this Privacy Policy.

7.4 With Business Partners

We may share Your information with Our business partners to offer You certain products, services, or promotions, with Your consent.

7.5 For Legal Requirements

We may disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities, including to:

• Comply with a legal obligation
• Protect and defend the rights or property of the Company
• Prevent or investigate possible wrongdoing in connection with the Service
• Protect the personal safety of users of the Service or the public
• Protect against legal liability

8.1 Transfer Mechanisms

For transfers of Personal Data from the EEA, UK, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we rely on:

• Standard Contractual Clauses (SCCs):We use the European Commission's Standard Contractual Clauses for data transfers to countries outside the EEA.
• Adequacy Decisions: Where applicable, we transfer data to countries that have received an adequacy decision from the European Commission.
• Supplementary Measures: Where necessary, we implement additional technical and organizational measures to ensure an adequate level of protection.

8.2 Transfer Impact Assessments

We conduct Transfer Impact Assessments (TIAs) to evaluate the laws and practices of destination countries and implement supplementary measures where necessary to ensure that transferred data receives a level of protection essentially equivalent to that guaranteed within the EEA.

8.3 Data Processing Agreements

We enter into Data Processing Agreements (DPAs) with our customers that include Standard Contractual Clauses and define the terms under which we process Personal Data on their behalf. Customers may request a copy of our DPA by contacting darshil@linkrunner.io or shreyans@linkrunner.io.

9.1 Retention Periods

We retain Personal Data only for as long as necessary for the purposes set out in this Privacy Policy:

9.2 Criteria for Retention

When determining retention periods, we consider:

• The nature and sensitivity of the data
• The purposes for which we process the data
• Applicable legal requirements
• Our legitimate business interests
• Customer instructions (when acting as Processor)

9.3 Data Deletion

Upon expiration of the retention period or upon valid request, we will securely delete or anonymize Your Personal Data, unless retention is required by law or for the establishment, exercise, or defense of legal claims.

10.1 Right to be Informed (Articles 13 & 14)

You have the right to be informed about the collection and use of Your Personal Data at the time it is collected. We fulfill this right by providing You with information through this Privacy Policy and through specific notices at the point of data collection.

10.2 Right of Access (Article 15)

You have the right to request copies of Your Personal Data. We may charge a reasonable fee for additional copies.

10.3 Right to Rectification (Article 16)

You have the right to request that We correct any information You believe is inaccurate or complete information You believe is incomplete.

10.4 Right to Erasure (Article 17)

You have the right to request that We erase Your Personal Data, under certain conditions, including when:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw consent (where processing was based on consent)
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

10.5 Right to Restriction of Processing (Article 18)

You have the right to request that We restrict the processing of Your Personal Data, under certain conditions, including when You contest the accuracy of the data, processing is unlawful, We no longer need the data but You need it for legal claims, or You have objected to processing pending verification.

10.6 Right to Data Portability (Article 20)

You have the right to receive the Personal Data You have provided to Us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.

10.7 Right to Object (Article 21)

You have the right to object to processing of Your Personal Data where processing is based on legitimate interests, for direct marketing purposes, or for scientific/historical research or statistical purposes.

10.8 Right Not to Be Subject to Automated Decision-Making (Article 22)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects You. We do not currently engage in solely automated decision-making that produces legal or similarly significant effects.

10.9 Right to Withdraw Consent

Where We rely on consent as the legal basis for processing, You have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

10.10 Right to Lodge a Complaint

You have the right to lodge a complaint with a Supervisory Authority in the EU Member State of Your habitual residence, place of work, or place of the alleged infringement.

10.11 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

• Email: support@linkrunner.io
• Subject Line: Data Subject Request - [Type of Request]

We will respond to Your request within 30 days. If the request is complex or we receive numerous requests, we may extend this period by up to two additional months.

11.1 Security Commitment

The security of Your Personal Data is important to Us. We have implemented appropriate technical and organizational measures designed to protect Personal Data against unauthorized access, alteration, disclosure, or destruction.

11.2 Security Measures

Our security program includes:

11.3 Compliance Certifications

We maintain the following compliance certifications and attestations:

• SOC 2 Type 2: Annual audit covering Security, Availability, and Confidentiality trust service criteria
• ISO 27001: Information Security Management System certification (in progress)
• GDPR Compliance: Adherence to EU General Data Protection Regulation requirements

Customers may request copies of our SOC 2 report or other compliance documentation under NDA by contacting darshil@linkrunner.io or shreyans@linkrunner.io.

11.4 Security Incident Response

We maintain a documented incident response plan that includes detection and analysis procedures, containment, eradication, and recovery steps, post-incident review and lessons learned, and communication protocols.

Despite our security measures, no method of transmission over the Internet or method of electronic storage is 100% secure. We continuously monitor and improve our security controls to protect Your data.

12.1 Notification to Supervisory Authorities

In accordance with GDPR Article 33, in the event of a personal data breach, We will notify the relevant Supervisory Authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

12.2 Notification to Data Subjects

In accordance with GDPR Article 34, if a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, We will communicate the breach to affected individuals without undue delay.

12.3 Notification to Customers (as Data Processor)

When acting as a Data Processor, We will notify affected customers of any personal data breach without undue delay after becoming aware of the breach, in accordance with our Data Processing Agreements.

12.4 Breach Notification Content

Our breach notifications will include:

• Nature of the personal data breach
• Categories and approximate number of data subjects and records concerned
• Contact details of our Data Protection Officer
• Likely consequences of the breach
• Measures taken or proposed to address the breach

17.1 General Inquiries

17.2 Data Protection Officer

For matters related to data protection and the exercise of Your rights under GDPR, please contact our Data Protection Officer:

Email: darshil@linkrunner.io or shreyans@linkrunner.io
Subject Line: Data Protection Inquiry

17.3 EU Representative (Article 27 GDPR)

For data subjects located in the European Union, our designated EU representative pursuant to Article 27 GDPR is:

17.4 UK Representative (Article 27 UK GDPR)

For data subjects located in the United Kingdom, our designated UK representative is:

17.5 Complaints

If You are not satisfied with how We handle Your Personal Data or respond to Your requests, You have the right to lodge a complaint with a Supervisory Authority. A list of Supervisory Authorities is available at: edpb.europa.eu

18.1 California Residents (CCPA/CPRA)

If You are a California resident, You have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including:

• Right to know what personal information is collected
• Right to know whether personal information is sold or disclosed and to whom
• Right to say no to the sale of personal information
• Right to access Your personal information
• Right to equal service and price (non-discrimination)
• Right to correct inaccurate personal information
• Right to limit use and disclosure of sensitive personal information

We do not sell personal information as defined by the CCPA/CPRA. To exercise these rights, contact us at darshil@linkrunner.io or shreyans@linkrunner.io with the subject line "California Privacy Rights Request."

18.2 Brazil Residents (LGPD)

If You are a Brazil resident, You have rights under the Lei Geral de Proteção de Dados (LGPD), which are substantially similar to those described in Section 10 of this Policy.

18.3 India Residents (DPDP Act)

We comply with applicable provisions of the Digital Personal Data Protection Act, 2023, including requirements for consent, data principal rights, and data security.