Privacy Policy
Last updated: May 09, 2024
This Privacy Policy describes how Linkrunner ("Company", "We", "Us", or "Our") collects, uses, discloses, and protects Your information when You use our mobile attribution and analytics platform (the "Service"). This policy is designed to comply with the General Data Protection Regulation (GDPR), ISO 27001 information security standards, and SOC 2 Type 2 trust service criteria.
We are committed to protecting Your privacy and ensuring the security of Your personal data. By using the Service, You acknowledge that You have read and understood this Privacy Policy.
1. Interpretation and Definitions
1.1 Interpretation
Words with initial capital letters have defined meanings under the following conditions. These definitions apply whether they appear in singular or plural form.
1.2 Definitions
For the purposes of this Privacy Policy:
Account means a unique account created for You to access our Service or parts of our Service.
Affiliate means an entity that controls, is controlled by, or is under common control with a party, where "control" means ownership of 50% or more of the shares, equity interest, or other securities entitled to vote for election of directors or other managing authority.
Company (referred to as either "the Company", "We", "Us" or "Our" in this Policy) refers to Linkrunner Private Limited, HustleHub Tech Park, Sector 2, HSR Layout, Bangalore, Karnataka 560102, India.
Cookies are small files placed on Your computer, mobile device, or any other device by a website, containing details of Your browsing history on that website among its many uses.
Data Controller means the natural or legal person who (either alone or jointly with others) determines the purposes and means of the processing of personal data. For the purposes of this Privacy Policy, the Company is the Data Controller of Your Personal Data when You use our website or dashboard. When processing data on behalf of our customers, we act as a Data Processor.
Data Processor means a natural or legal person who processes personal data on behalf of the Data Controller.
Data Subject means the individual to whom Personal Data relates.
Device means any device that can access the Service such as a computer, cellphone, or digital tablet.
EEA means the European Economic Area.
Personal Data means any information relating to an identified or identifiable natural person ('Data Subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Service refers to the Linkrunner mobile attribution and analytics platform, including the website, dashboard, APIs, and SDK.
Service Provider (also referred to as "Subprocessor") means any natural or legal person who processes data on behalf of the Company to facilitate the Service, provide the Service on behalf of the Company, perform services related to the Service, or assist the Company in analyzing how the Service is used.
Supervisory Authority means an independent public authority established by an EU Member State pursuant to Article 51 of the GDPR.
Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself.
Website refers to Linkrunner, accessible from https://linkrunner.io
You means the individual accessing or using the Service, or the company or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.
2. Data Controller and Data Processor Roles
2.1 When We Act as Data Controller
We act as a Data Controller when:
You visit our website or use our dashboard
You create an account with us
You contact us for support or inquiries
We process Your account and billing information
2.2 When We Act as Data Processor
We act as a Data Processor when:
We process end-user attribution data on behalf of our customers
We handle analytics data that our customers collect through our SDK
We process any personal data as instructed by our customers under a Data Processing Agreement (DPA)
When acting as a Data Processor, our customers are the Data Controllers, and their privacy policies govern the collection and use of end-user data. We process such data only in accordance with our customers' documented instructions and applicable Data Processing Agreements.
3. Legal Basis for Processing Personal Data (GDPR Article 6)
We process Your Personal Data only when we have a valid legal basis to do so. The legal bases we rely on include:
3.1 Performance of a Contract (Article 6(1)(b))
We process data necessary to fulfill our contractual obligations to You, including:
Creating and managing Your account
Providing the attribution and analytics services You have subscribed to
Processing payments and billing
Providing customer support
3.2 Legitimate Interests (Article 6(1)(f))
We process data based on our legitimate interests, provided these interests are not overridden by Your rights and freedoms. This includes:
Improving and optimizing our Service
Detecting and preventing fraud or abuse
Ensuring network and information security
Conducting business analytics and reporting
3.3 Legal Obligation (Article 6(1)(c))
We process data when required to comply with applicable laws, regulations, or legal processes, including:
Tax and accounting requirements
Responding to lawful requests from public authorities
Compliance with data protection laws
3.4 Consent (Article 6(1)(a))
Where required by law, we obtain Your consent before processing Your Personal Data for specific purposes, such as:
Sending marketing communications
Using non-essential cookies
Processing special categories of data (if applicable)
You may withdraw Your consent at any time by contacting us at darshil@linkrunner.io or shreyans@linkrunner.io. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
4. Types of Data Collected
4.1 Personal Data
When You use Our Service, We may ask You to provide Us with certain personally identifiable information that can be used to contact or identify You. This may include:
Email address
First name and last name
Phone number (optional)
Company name and job title
Billing address
Payment information (processed by our payment processor)
4.2 Usage Data
Usage Data is collected automatically when using the Service and may include:
Your Device's Internet Protocol address (IP address)
Browser type and version
The pages of our Service that You visit
The time and date of Your visit
Time spent on pages
Unique device identifiers
Diagnostic data
When You access the Service through a mobile device, We may collect:
Type of mobile device
Mobile device unique ID
IP address of Your mobile device
Mobile operating system
Type of mobile Internet browser
Unique device identifiers
Other diagnostic data
4.3 Attribution and Analytics Data (Processed as Data Processor)
When our customers use our SDK in their mobile applications, we may process the following data on their behalf:
Advertising identifiers (IDFA, GAID)
Device information and characteristics
App installation and event data
Campaign attribution data
Conversion and revenue data
IP addresses (for geo-location purposes)
This data is processed in accordance with our customers' instructions and the applicable Data Processing Agreement.
5. Tracking Technologies and Cookies
We use Cookies and similar tracking technologies to track activity on Our Service and store certain information.
5.1 Types of Cookies We Use
Strictly Necessary Cookies
Type: Session Cookies
Purpose: Essential for providing services through the Website and enabling use of features. Required for user authentication and preventing fraudulent use of accounts.
Legal Basis: Necessary for the performance of a contract
Functional Cookies
Type: Persistent Cookies
Purpose: Remember choices You make when using the Website, such as login details or language preferences.
Legal Basis: Legitimate interests / Consent
Analytics Cookies
Type: Persistent Cookies
Purpose: Help us understand how visitors interact with the Website by collecting and reporting information.
Legal Basis: Consent
5.2 Cookie Consent
In accordance with GDPR requirements, we obtain Your consent before placing non-essential cookies on Your device. You can manage Your cookie preferences at any time through our cookie consent banner or by adjusting Your browser settings.
5.3 How to Control Cookies
You can set Your browser to refuse all cookies or indicate when a cookie is being sent. However, if You do not accept cookies, You may not be able to use some parts of our Service.
6. Use of Your Personal Data
We use Personal Data for the following purposes:
Service Delivery
To provide and maintain our Service, including monitoring usage
To manage Your Account and registration
To provide customer support
Contractual Performance
To fulfill the purchase contract for products, items, or services
To process payments and billing
Communication
To contact You by email, telephone, SMS, or push notifications regarding updates or informative communications related to the Service
To provide security updates when necessary
Marketing (with consent)
To provide news, special offers, and general information about other goods, services, and events similar to those You have purchased or enquired about, unless You have opted not to receive such information
Business Operations
For data analysis and identifying usage trends
To evaluate and improve our Service, products, services, and marketing
For business transfers (mergers, acquisitions, asset sales)
Legal and Compliance
To comply with legal obligations
To protect our rights and prevent fraud
7. Data Sharing and Disclosure
We may share Your Personal Data in the following situations:
7.1 With Service Providers (Subprocessors)
We share data with third-party service providers who assist us in operating the Service. These providers are contractually bound to protect Your data and may only process it for specified purposes.
Our current Subprocessors include:
Subprocessor Purpose Location Amazon Web Services (AWS) Cloud infrastructure and hosting India, EU, United States Google Cloud Platform (GCP) Cloud infrastructure and data processing India, EU, United States
We maintain an up-to-date list of subprocessors and will notify customers of any changes as required by our Data Processing Agreements.
7.2 For Business Transfers
If the Company is involved in a merger, acquisition, or asset sale, Your Personal Data may be transferred. We will provide notice before Your Personal Data is transferred and becomes subject to a different Privacy Policy.
7.3 With Affiliates
We may share Your information with Our affiliates, in which case we will require those affiliates to honor this Privacy Policy.
7.4 With Business Partners
We may share Your information with Our business partners to offer You certain products, services, or promotions, with Your consent.
7.5 For Legal Requirements
We may disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency), including to:
Comply with a legal obligation
Protect and defend the rights or property of the Company
Prevent or investigate possible wrongdoing in connection with the Service
Protect the personal safety of users of the Service or the public
Protect against legal liability
8. International Data Transfers
Your information, including Personal Data, may be transferred to and maintained on computers located outside of Your state, province, country, or other governmental jurisdiction where data protection laws may differ from those in Your jurisdiction.
8.1 Transfer Mechanisms
For transfers of Personal Data from the EEA, UK, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we rely on:
Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses for data transfers to countries outside the EEA.
Adequacy Decisions: Where applicable, we transfer data to countries that have received an adequacy decision from the European Commission.
Supplementary Measures: Where necessary, we implement additional technical and organizational measures to ensure an adequate level of protection.
8.2 Transfer Impact Assessments
We conduct Transfer Impact Assessments (TIAs) to evaluate the laws and practices of destination countries and implement supplementary measures where necessary to ensure that transferred data receives a level of protection essentially equivalent to that guaranteed within the EEA.
8.3 Data Processing Agreements
We enter into Data Processing Agreements (DPAs) with our customers that include Standard Contractual Clauses and define the terms under which we process Personal Data on their behalf. Customers may request a copy of our DPA by contacting darshil@linkrunner.io or shreyans@linkrunner.io.
9. Data Retention
9.1 Retention Periods
We retain Personal Data only for as long as necessary for the purposes set out in this Privacy Policy:
Data Type Retention Period Justification Account information Duration of account + 3 years Contractual performance, legal obligations Billing and transaction data 7 years Legal and tax requirements Usage data 26 months Service improvement, analytics Attribution data (as Processor) As specified by customer (default: 12 months) Customer instructions Customer support records 3 years after last interaction Service quality, dispute resolution Marketing consent records Duration of consent + 3 years Legal compliance (proof of consent)
9.2 Criteria for Retention
When determining retention periods, we consider:
The nature and sensitivity of the data
The purposes for which we process the data
Applicable legal requirements
Our legitimate business interests
Customer instructions (when acting as Processor)
9.3 Data Deletion
Upon expiration of the retention period or upon valid request, we will securely delete or anonymize Your Personal Data, unless retention is required by law or for the establishment, exercise, or defense of legal claims.
10. Your Data Protection Rights (GDPR)
If You are located in the European Economic Area (EEA), United Kingdom, or Switzerland, You have certain data protection rights under applicable law:
10.1 Right of Access (Article 15)
You have the right to request copies of Your Personal Data. We may charge a reasonable fee for additional copies.
10.2 Right to Rectification (Article 16)
You have the right to request that We correct any information You believe is inaccurate or complete information You believe is incomplete.
10.3 Right to Erasure (Article 17)
You have the right to request that We erase Your Personal Data, under certain conditions, including when:
The data is no longer necessary for the purposes for which it was collected
You withdraw consent (where processing was based on consent)
You object to processing and there are no overriding legitimate grounds
The data has been unlawfully processed
10.4 Right to Restriction of Processing (Article 18)
You have the right to request that We restrict the processing of Your Personal Data, under certain conditions, including when:
You contest the accuracy of the data
Processing is unlawful and You oppose erasure
We no longer need the data but You need it for legal claims
You have objected to processing pending verification of legitimate grounds
10.5 Right to Data Portability (Article 20)
You have the right to receive the Personal Data You have provided to Us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller, where processing is based on consent or contract and is carried out by automated means.
10.6 Right to Object (Article 21)
You have the right to object to processing of Your Personal Data:
Where processing is based on legitimate interests or public interest
For direct marketing purposes (including profiling)
For scientific/historical research or statistical purposes
10.7 Right Not to Be Subject to Automated Decision-Making (Article 22)
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects You.
We do not currently engage in solely automated decision-making that produces legal or similarly significant effects. If this changes, we will update this policy and provide You with meaningful information about the logic involved, as well as the significance and envisaged consequences.
10.8 Right to Withdraw Consent
Where We rely on consent as the legal basis for processing, You have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
10.9 Right to Lodge a Complaint
You have the right to lodge a complaint with a Supervisory Authority in the EU Member State of Your habitual residence, place of work, or place of the alleged infringement if You consider that the processing of Your Personal Data infringes the GDPR.
10.10 How to Exercise Your Rights
To exercise any of these rights, please contact us at:
Email: darshil@linkrunner.io or shreyans@linkrunner.io
Subject Line: Data Subject Request - [Type of Request]
We will respond to Your request within 30 days. If the request is complex or we receive numerous requests, we may extend this period by up to two additional months, and we will inform You of any such extension.
We may request specific information from You to confirm Your identity and ensure Your right to access the data or exercise other rights.
11. Security of Your Personal Data
11.1 Security Commitment
The security of Your Personal Data is important to Us. We have implemented appropriate technical and organizational measures designed to protect Personal Data against unauthorized access, alteration, disclosure, or destruction.
11.2 Security Measures
Our security program includes:
Technical Controls
Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
Multi-factor authentication (MFA) for access to systems
Network security controls including firewalls and intrusion detection
Regular vulnerability assessments and penetration testing
Secure software development lifecycle (SDLC)
Access logging and monitoring
Organizational Controls
Information security policies and procedures
Employee security awareness training
Background checks for employees with access to personal data
Vendor security assessments
Incident response procedures
Business continuity and disaster recovery planning
11.3 Compliance Certifications
We maintain the following compliance certifications and attestations:
SOC 2 Type 2: Annual audit covering Security, Availability, and Confidentiality trust service criteria
ISO 27001: Information Security Management System certification (in progress)
GDPR Compliance: Adherence to EU General Data Protection Regulation requirements
Customers may request copies of our SOC 2 report or other compliance documentation under NDA by contacting darshil@linkrunner.io or shreyans@linkrunner.io.
11.4 Security Incident Response
We maintain a documented incident response plan that includes:
Detection and analysis procedures
Containment, eradication, and recovery steps
Post-incident review and lessons learned
Communication protocols
Despite our security measures, no method of transmission over the Internet or method of electronic storage is 100% secure. We continuously monitor and improve our security controls to protect Your data.
12. Data Breach Notification
12.1 Notification to Supervisory Authorities
In accordance with GDPR Article 33, in the event of a personal data breach, We will notify the relevant Supervisory Authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
12.2 Notification to Data Subjects
In accordance with GDPR Article 34, if a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, We will communicate the breach to affected individuals without undue delay.
12.3 Notification to Customers (as Data Processor)
When acting as a Data Processor, We will notify affected customers of any personal data breach without undue delay after becoming aware of the breach, in accordance with our Data Processing Agreements.
12.4 Breach Notification Content
Our breach notifications will include:
Nature of the personal data breach
Categories and approximate number of data subjects and records concerned
Contact details of our Data Protection Officer
Likely consequences of the breach
Measures taken or proposed to address the breach
13. Children's Privacy
Our Service does not address anyone under the age of 16 (or a higher age if required by applicable law). We do not knowingly collect personally identifiable information from anyone under this age.
If You are a parent or guardian and You are aware that Your child has provided Us with Personal Data, please contact Us. If We become aware that We have collected Personal Data from anyone under the applicable age without verification of parental consent, We take steps to remove that information from Our servers.
14. Third-Party Links and Services
Our Service may contain links to other websites that are not operated by Us. If You click on a third-party link, You will be directed to that third party's site. We strongly advise You to review the Privacy Policy of every site You visit.
We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.
15. Changes to this Privacy Policy
We may update Our Privacy Policy from time to time. We will notify You of any material changes by:
Posting the new Privacy Policy on this page
Updating the "Last updated" date at the top of this Privacy Policy
Sending an email notification (for material changes affecting Your rights)
Providing a prominent notice on Our Service
For changes that materially affect the processing of Your Personal Data or Your rights, we will provide at least 30 days' notice before the changes take effect.
You are advised to review this Privacy Policy periodically for any changes. Continued use of the Service after the effective date of any changes constitutes acceptance of the updated Privacy Policy.
16. Governing Law and Jurisdiction
This Privacy Policy shall be governed by and construed in accordance with the laws of India, without regard to its conflict of law provisions.
For disputes arising under this Privacy Policy involving residents of the European Union, the applicable data protection laws of the relevant EU Member State shall apply, and competent courts of that Member State shall have jurisdiction.
17. Contact Us
17.1 General Inquiries
If You have any questions about this Privacy Policy, You can contact us:
Linkrunner Private Limited
HustleHub Tech Park, Sector 2, HSR Layout
Bangalore, Karnataka 560102, India
Email: darshil@linkrunner.io or shreyans@linkrunner.io
Website: https://linkrunner.io/contact
17.2 Data Protection Officer
For matters related to data protection and the exercise of Your rights under GDPR, please contact our Data Protection Officer:
Email: darshil@linkrunner.io or shreyans@linkrunner.io
Subject Line: Data Protection Inquiry
17.3 EU Representative
For data subjects located in the European Union, our EU Representative can be contacted at:
[EU Representative Name and Address]
Email: darshil@linkrunner.io or shreyans@linkrunner.io
(Note: If you process EU personal data and are not established in the EU, Article 27 GDPR requires appointment of an EU representative)
17.4 Complaints
If You are not satisfied with how We handle Your Personal Data or respond to Your requests, You have the right to lodge a complaint with a Supervisory Authority. A list of Supervisory Authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en
18. Additional Information for Specific Jurisdictions
18.1 California Residents (CCPA/CPRA)
If You are a California resident, You have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including:
Right to know what personal information is collected
Right to know whether personal information is sold or disclosed and to whom
Right to say no to the sale of personal information
Right to access Your personal information
Right to equal service and price (non-discrimination)
Right to correct inaccurate personal information
Right to limit use and disclosure of sensitive personal information
We do not sell personal information as defined by the CCPA/CPRA.
To exercise these rights, contact us at darshil@linkrunner.io or shreyans@linkrunner.io with the subject line "California Privacy Rights Request."
18.2 Brazil Residents (LGPD)
If You are a Brazil resident, You have rights under the Lei Geral de Proteção de Dados (LGPD), which are substantially similar to those described in Section 10 of this Policy.
18.3 India Residents (DPDP Act)
We comply with applicable provisions of the Digital Personal Data Protection Act, 2023, including requirements for consent, data principal rights, and data security.
This Privacy Policy is effective as of January 23, 2026.
