superlink.fyi
Legal

Privacy policy

How we handle your data on superlink.fyi and supr.fyi — written in line with the EU GDPR and the German BDSG.

Legal NoticeTerms of serviceCookie policyReport a link

At a glance

  • We process the minimum data needed to run the Service.
  • We do not store visitors' raw IP addresses.
  • You can access, export or delete your data at any time.
  • Pro users are independent controllers for the tracking pixels and lead data they collect.
  • Hosting is in the EU where available; transfers outside the EEA use SCCs.

1. Who's responsible (controller)

Controller under Art. 4 (7) GDPR:

Dominic Mueller
Mainzer Str. 19, 50678 Köln, Germany
Email: hello@superlink.fyi

2. What data we process

a) Account data

  • Email, hashed password, display name, plan, link quota.
  • Sign-up timestamp, anti-abuse fingerprint, hashed IP indicator.

b) Content you create

  • Slugs, destination URLs, titles, descriptions, images, videos, PDFs, poll questions, profile images and other splash-page content.

c) Visitor data on splash pages

  • Timestamp, referrer, user-agent, traffic source.
  • Coarse country / region / city derived from IP.
  • Device type, OS, browser.
  • Aggregated counters per Superlink (visits, click-throughs).
We do not store visitors' raw IP addresses. Geo data is derived on the fly and only kept in coarse form.

d) Interactions on splash pages

  • Poll votes, with an opaque, non-reversible voter fingerprint to prevent double-voting.
  • PDF downloads (timestamp, user-agent, referrer).
  • Lead-form submissions on Pro splash pages — name, email, and the consent flag the visitor ticked.
  • Reports submitted via /report — category, reason, optional reporter email, user-agent, referrer.

3. Why we process it (legal bases)

  • Running the Service (account, link creation, splash rendering, click tracking) — Art. 6 (1)(b) GDPR (contract).
  • Security & abuse prevention (sign-up fingerprinting, rate limits, report handling, ban enforcement) — Art. 6 (1)(f) GDPR (legitimate interests).
  • Aggregate analytics for the link owner (visits, countries, sources) — Art. 6 (1)(f) GDPR. Aggregated, no IP addresses.
  • Lead-form submissions — Art. 6 (1)(a) GDPR (visitor consent via the explicit checkbox), forwarded to the Pro user.
  • Pixels & custom tags on Pro splash pages (Meta, Google, TikTok, LinkedIn, Pinterest, X, GTM, Hotjar, Clarity, Plausible, Segment, etc.) — controlled by the Pro user.
  • Billing via our payment provider — Art. 6 (1)(b) and (c) GDPR.
  • Transactional emails (account, security, report receipts) — Art. 6 (1)(b) and (f) GDPR.
  • Legal obligations (tax, accounting, law-enforcement requests) — Art. 6 (1)(c) GDPR.

4. Pro users: what you're responsible for

If you're a Pro user enabling extra features on your splash pages, you act as an independent controller for the data those features collect.

Lead-form data is controlled by the Pro user who set up the form. You're responsible for storing it lawfully and answering visitor rights requests for that data.
Pro users are responsible for their own tracking tools. If you add Meta, Google, TikTok or any other pixel to your splash page, you must obtain visitor consent and provide your own privacy disclosures.

5. Cookies & local storage

We use strictly necessary cookies and localStorage for login sessions, anti-abuse fingerprints and to remember poll votes / lead-form submissions per visitor.

See our Cookie policy for details. Pro users may add their own analytics or advertising tags to their splash pages — those are governed by the respective provider's policy.

6. Who we share data with (processors)

  • Hosting & backend: Lovable Cloud (Supabase), EU regions where available.
  • Email delivery: Lovable Email infrastructure, operated within the EU.
  • Edge / CDN: Cloudflare, for routing of supr.fyi / superlink.fyi.
  • Payments: Paddle.com Market Limited (Merchant of Record).
  • Customer-configured tags (Meta, Google, TikTok, LinkedIn, Pinterest, X, GTM, Hotjar, Clarity, Plausible, Segment, custom HTML) on Pro splash pages — only when the Pro user enables them.

We have data-processing agreements (Art. 28 GDPR) with all processors. Where data is transferred outside the EEA, transfers are protected by Standard Contractual Clauses or an adequacy decision.

7. How long we keep data

  • Account data: while your account is active, plus up to 30 days after a deletion request, then permanently erased.
  • Visit & interaction data: up to 24 months in raw form, then aggregated.
  • Lead-form submissions: controlled by the Pro user who collected them — they apply their own retention rules.
  • Reports submitted via /report: up to 36 months, for abuse-prevention purposes.
  • Billing & tax records: 10 years (§ 147 AO).

8. Your rights under the GDPR

You can:

  • Access your personal data (Art. 15).
  • Correct inaccurate data (Art. 16).
  • Request erasure — “right to be forgotten” (Art. 17).
  • Restrict processing (Art. 18).
  • Receive your data in a portable format (Art. 20).
  • Object to processing based on legitimate interests (Art. 21).
  • Withdraw consent at any time, without affecting prior processing (Art. 7 (3)).
  • Lodge a complaint with a supervisory authority. For users in NRW: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, Düsseldorf.

To exercise any right, email hello@superlink.fyi.

9. Automated decision-making

We don't use automated decision-making with legal effect, including profiling under Art. 22 GDPR.

10. Changes to this policy

We may update this policy from time to time. The current version is always at this URL. Material changes will be announced in-product or by email.

11. Contact

For any privacy request, email hello@superlink.fyi.

Legal NoticeTerms of serviceCookie policyReport a link
Last updated: 24 April 2026