TraceLinker
Home
Legal & Policies

Privacy Policy

How TraceLinker handles your personal data.

Last updated: January 2026

Last updated: 2026

This Privacy Policy explains what data TraceLinker collects and how we use it.

What we collect

Account data

  • Email address (for sign-in via magic link)
  • Optional display name and avatar URL
  • Authentication session cookies

Backlink data you provide

  • CSVs of backlinks you upload for audit
  • URLs you choose to monitor
  • Outreach drafts you create or edit

Data we generate from your inputs

  • AI scores, labels, reasoning, action recommendations, toxicity verdicts
  • Crawl results from public source pages
  • Change logs from monitoring runs

Optional integration data

  • Google Search Console OAuth tokens (read-only webmasters.readonly scope) - encrypted at rest
  • Connected Google account email (for display in settings)

Billing data

  • Stripe customer ID, subscription ID, current period end
  • We never see or store your credit card number - Stripe handles payment data directly.

How we use it

  • To run the Service: process audits, run monitoring, send transactional emails, draft outreach.
  • To provide customer support when you contact us.
  • To improve the Service: aggregate, anonymized analytics on feature usage and error rates.
  • To bill you for paid plans through Stripe.

What we do NOT do

  • We do not sell your data to advertisers or third parties.
  • We do not train external AI models on your data. AI scoring runs as inference - no fine-tuning.
  • We do not share individual user data with other users (rows are isolated by row-level security on every table).

Cookies

We use only essential cookies:

  • Session cookie for authentication (HTTP-only, secure)
  • CSRF protection cookie for OAuth flows

We do not use marketing or tracking cookies.

Data retention

  • Account data: kept while your account is active. Deleted permanently within 30 days of account deletion.
  • Audit and monitoring data: kept while your account is active. You can delete individual audits anytime.
  • Backups: rolling 30-day point-in-time recovery; deleted data ages out of backups within that window.
  • Logs: 90 days then purged.

Subprocessors

We use the following service providers to operate TraceLinker:

  • Supabase - database, authentication, file storage
  • Vercel - application hosting (when deployed)
  • Stripe - payment processing
  • Resend - transactional email delivery (only when configured)
  • An LLM API provider - AI scoring inference (no training on your data)

Your rights

Depending on your jurisdiction (GDPR, CCPA, etc.) you have the right to:

  • Access the data we hold about you
  • Correct inaccurate data
  • Delete your data ("right to be forgotten")
  • Export your data
  • Object to specific processing

To exercise any of these rights, email privacy@tracelinker.com. We respond within 30 days.

Children

The Service is not intended for users under 18. We do not knowingly collect data from minors.

International transfers

Our infrastructure runs in multiple regions. By using the Service you consent to your data being processed in those regions.

Contact

Privacy questions: privacy@tracelinker.com.

Have a question about this policy?

Contact us →