Privacy Policy

WarpLink collects the minimum data needed to redirect links, attribute app installs, and show analytics. It falls into three groups: account information you provide, click analytics from link visitors, and attribution signals from apps that embed our SDK. Some of the data we process from link visitors consists of pseudonymous identifiers, such as hashed values and device signatures, rather than information that directly identifies a person. We do not sell your data, and we do not share it with advertisers.

When someone clicks a WarpLink short link, we record the link identifier, a timestamp, approximate location derived from network information (country, region, and city), device type, operating system and version, browser, the referring URL, and any UTM campaign parameters on the link. We also store a one-way SHA-256 hash of the visitor's IP address, which we use to count unique clicks. That hash is not reversible, and we do not store the raw IP address in our click records.

Apps that integrate the WarpLink SDK send signals we use to attribute an install to the link that drove it. Depending on the platform and configuration, these signals include a device identifier provided by the operating system (such as the iOS Identifier for Vendors), the device language, screen dimensions, and time zone offset.

From these signals and the request's IP address we compute a device fingerprint, a SHA-256 hash used to match an install to a recent click. We store the fingerprint and the device identifier, along with the match type and a confidence score. The raw IP address is used only momentarily in memory to compute the fingerprint and is not stored. We do not use the Apple Identifier for Advertisers (IDFA).

When you create an account, we collect your email address and, optionally, a display name. You can register using email and password, GitHub, or Google. Authentication and sessions are managed by Better Auth. A session record may include the IP address and browser user agent associated with your sign-in, which we use to maintain and secure your session.

WarpLink uses session cookies on the authenticated dashboard to keep you signed in. We do not use advertising cookies, and we do not place tracking cookies on link redirects. Our public marketing site uses Google Analytics configured in a cookieless consent mode, which measures aggregate site usage without storing analytics cookies on your device.

• Redirect links and provide deep linking
• Attribute app installs to the links that drove them
• Show aggregated click and install analytics in your dashboard
• Process subscription payments through Stripe
• Send transactional email such as verification, password resets, team invitations, and billing notifications through Resend
• Monitor errors and maintain reliability through Sentry

We never sell your data to third parties, and we never share it with advertisers.

If you are in the European Economic Area or the United Kingdom, we process personal data under the following legal bases:

• Contract: operating your account and providing the service you signed up for.
• Legitimate interests: producing analytics, attributing installs, securing the service, and preventing abuse.
• Legal obligation: meeting tax, accounting, and other regulatory requirements.
• Consent: where required for optional analytics. You can withdraw consent at any time.

WarpLink is operated from Canada, and our dashboard data and click analytics are stored in the United States. If you use WarpLink, your personal data may be processed and stored in the United States and may be subject to access by US authorities under applicable law. For personal data transferred from the European Economic Area, the United Kingdom, or Switzerland, we rely on Standard Contractual Clauses or equivalent safeguards with the providers that process that data on our behalf.

We protect your data with encryption in transit, one-way hashing of IP addresses in our click records, hashed account passwords, scoped API keys, and access controls, and we monitor for errors and anomalies. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.

We retain click analytics according to your plan:

• Free: 90 days
• Starter: 180 days
• Growth: 365 days
• Scale: 3 years (1,095 days)

A scheduled process permanently deletes click records older than your plan's retention window. We keep your account information for as long as your account is active. When you delete your organization or account, all associated data is removed immediately through a cascading deletion, except where we are required by law to retain certain records.

Depending on where you live, you may have the right to access, correct, delete, restrict, or object to our processing of your personal data, to data portability, and to withdraw consent. You can exercise several of these directly: export your click analytics as CSV from your dashboard, or delete your organization from your settings, which permanently removes its associated data. For any other request, email us at privacy@warplink.app and we will respond within the time required by applicable law.

If you are in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws govern how we handle your personal information. You may request access to the personal information we hold about you, ask us to correct it, and withdraw consent. You may also direct a complaint to the Office of the Privacy Commissioner of Canada. Because our infrastructure is located in the United States, your information may be stored and processed there. To exercise your rights, email privacy@warplink.app.

California residents have the right to know what personal information we collect, to access and delete it, to correct inaccurate information, and to opt out of the sale or sharing of personal information. WarpLink does not sell or share personal information as those terms are defined under California law. To exercise your rights, email privacy@warplink.app.

WarpLink is not directed to children. We do not knowingly collect personal data from children under 13, or under 16 in the European Economic Area. If you believe a child has provided us with personal data, contact privacy@warplink.app and we will delete it.

Because our analytics run in a cookieless consent mode and we do not track individuals across third-party sites, there is no cross-site profile to suppress. We honor recognized opt-out signals such as Global Privacy Control where applicable.

We rely on the following providers to operate WarpLink. Each processes only the data needed for its function:

• A global edge network provider: link redirects and DNS, worldwide
• A US-based managed Postgres provider: dashboard data and click analytics, United States
• Stripe: payment processing
• Sentry: error monitoring
• Resend: transactional email delivery
• Google Analytics: aggregate, cookieless analytics on our marketing site
• Formspree: contact form submissions

WarpLink is the controller of the personal data described in this policy and is operated from Ontario, Canada. For privacy questions or to exercise your rights, contact us at privacy@warplink.app.

WarpLink does not collect the Apple Identifier for Advertisers (IDFA). Our iOS SDK uses the Identifier for Vendors (IDFV), which does not require an App Tracking Transparency prompt under Apple's current guidelines. See the Mobile SDK and Attribution Data section above for the full list of signals we collect.

We may update this Privacy Policy from time to time. We will post changes on this page and update the date shown above. Continued use of WarpLink after changes take effect constitutes acceptance of the revised policy. For privacy questions or data requests, contact us at privacy@warplink.app.