Back to Home

Privacy Policy

Last updated: May 2026. Effective immediately.

Who we are

OhLinks ("we", "our", "us") is a smart-link platform operated by Nafaa Azaiez. We help mobile-app marketers and developers route a single short URL to the right App Store, Play Store, or web destination depending on the visitor's device and country.

We act as a data controller for your account data and as a data processor for the click events generated by visitors of your smart links.

Data we collect from you (account holder)

  • Email address — to create and identify your account, send you account-related emails (validation, password reset).
  • Display name — what we show in your dashboard. Optional.
  • Hashed password — bcrypt with a per-user salt; we never see your plaintext password.
  • OAuth identifier — if you sign in with Google, we store the Firebase-verified subject ID linking back to your Google account. We never receive your Google password.
  • Stripe customer ID — only if you subscribe to a paid plan. Card data is held by Stripe, not us.
  • Smart links you create — the URLs, titles, geo overrides, and preview metadata you configure.

Data we collect from visitors of your smart links

When someone clicks a smart link, we record an anonymous click event for analytics. Per click we store:

  • The smart link ID and the timestamp.
  • The detected platform (iOS / Android / Web), inferred from the User-Agent.
  • The country code (e.g. FR, US) inferred from the IP via a local DB-IP database (CC-BY 4.0 — see "Sub-processors" below). We don't store the IP itself.

We do not set cookies on the redirect domain, fingerprint visitors, share data with third-party trackers, or persist any personally identifying information about clickers.

How we use your data

  • Provide and operate the OhLinks service (resolve your links, show you analytics).
  • Authenticate you and protect your account.
  • Process payments (only via Stripe; see "Sub-processors" below).
  • Send you transactional emails (signup validation, password reset, important account updates). We don't send marketing emails without your explicit opt-in.
  • Detect and prevent abuse (rate limiting, anti-spam).

Legal bases (RGPD/GDPR Art. 6)

  • Contract performance — most account data and link operations.
  • Legitimate interest — fraud prevention, log retention for security, anonymous click analytics.
  • Consent — any optional analytics or marketing emails (you can withdraw it any time).
  • Legal obligation — invoice retention for taxation purposes.

Sub-processors

We use a small set of trusted vendors to operate the service:

  • Stripe (US/EU) — payment processing. Privacy.
  • Brevo (EU) — transactional email delivery. Privacy.
  • Firebase Auth (US) — Google sign-in token verification only. We never store Firebase user state. Privacy.
  • DB-IP Country Lite (local) — IP-to-country lookups happen on our servers from a database file we host locally; no data is sent to DB-IP in real time. The DB-IP Lite database is licensed under CC-BY 4.0 — credit: https://db-ip.com.
  • Our hosting provider (EU) — server infrastructure (PostgreSQL, Redis, application servers).

Data retention

  • Account data — kept until you delete your account.
  • Click events — kept for 13 months (rolling), then aggregated and the raw rows deleted.
  • Application logs — kept for 30 days, then purged.
  • Backups — encrypted, kept for 30 days, then rotated.
  • Stripe invoices — kept for 10 years to comply with taxation rules (legal obligation).

Your rights (RGPD/GDPR)

  • Access — view all data we hold about you (in your dashboard or by request).
  • Rectification — correct inaccurate data (in your settings).
  • Erasure — delete your account; everything we hold about you is deleted within seconds. See How to delete your account.
  • Portability — request an export of your data (JSON or CSV).
  • Restriction / Objection — limit or object to certain processing. Email us.
  • Complaint — file a complaint with your national data protection authority (in France: CNIL).

Security

All traffic is encrypted in transit (TLS 1.2+). Passwords are hashed with bcrypt. Database backups are encrypted at rest. Access to production systems is limited to authorized personnel and protected by 2FA. Webhook signatures from Stripe are verified, payloads are processed idempotently.

International transfers

Your data is primarily stored in the EU. Some sub-processors (Stripe, Firebase) may process data in the US under Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework.

Children

OhLinks is not intended for users under 16. We do not knowingly collect data from children. If you believe a child has provided us data, contact us and we'll delete it.

Changes to this policy

We may update this policy occasionally. Material changes will be communicated via email and a notice in your dashboard at least 14 days before they take effect.

Contact

For privacy questions, exercise your rights, or report a concern, email privacy@oh-links.com.