๐Ÿ‡ฌ๐Ÿ‡ง English ๐Ÿ‡ฎ๐Ÿ‡น Italiano ๐Ÿ‡ช๐Ÿ‡ธ Espaรฑol
Log in Sign up

Privacy Policy

Last updated: 24/04/2026 ยท Version 1.1

This Privacy Policy describes how Linkorilla ("we", "the Controller") collects, uses and protects the personal data of users who register and use the service available on linkorilla.com (the "Service"), in compliance with Regulation (EU) 2016/679 ("GDPR"), Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018 and the guidelines of the Italian Data Protection Authority (Garante). For information on cookie usage, see the Cookie Policy.

1. Data Controller

The Data Controller is:

Responsive Lab S.r.l.
Via Nicola Cacudi, 50 โ€” 70124 Bari (BA), Italy
VAT: IT08004470723
Email: privacy@linkorilla.com

For any question regarding the processing of your personal data you can contact us at the email address above.

2. Types of personal data processed

2.1 Data provided by the user

  • Phone number: used for authentication via OTP (One-Time Password).
  • Email address: used as account identifier and for service communications.
  • Billing details: name/company name, tax code, VAT number, address โ€” required for payment processing and electronic invoicing. These fields are encrypted at rest.
  • URLs and link content: destination URLs entered by the user to create short links.

2.2 Data collected automatically

  • IP address: temporarily recorded at the time of a short-link click; converted to an anonymous hash within a few hours of collection. The raw IP is deleted from our systems within 24 hours.
  • Country of origin: derived from the IP via offline geolocation (MaxMind GeoLite2); the IP is then discarded.
  • User agent: browser/device string used to classify device type (desktop/mobile/tablet) and browser.
  • HTTP referrer: URL the visitor came from, if transmitted by the browser.
  • UTM parameters: campaign-tracking tags present in the URL, if any.
  • Session data: encrypted session token stored in a cookie, expiring after 14 days.

2.3 Data of link visitors (third parties)

When an end-user (visitor) clicks a short link created with Linkorilla, the technical data listed at point 2.2 is collected on behalf of the user who created the link. The visitor does not create an account and does not have a direct contractual relationship with Linkorilla. The user who owns the link is responsible for informing their visitors of the tracking performed via Linkorilla.

2.4 Data sent to Facebook (optional feature)

Pro users who enable the Facebook Conversions API (CAPI) integration authorize Linkorilla to transmit the following data of their visitors to Meta Platforms at the time of a conversion: IP address, user agent, URL of the conversion page, purchase value (where available), _fbp and _fbc cookies (browser identifiers set by Meta, if present). This feature is disabled by default and must be explicitly enabled by the user in their account Settings. The user who enables it is responsible for informing their visitors of this processing in their own privacy policy.

3. Purposes of processing and legal bases

PurposeLegal basis (Art. 6 GDPR)
Account creation and management, OTP authentication Performance of contract (Art. 6(1)(b))
Provision of the Service (link creation, redirect, QR code, Bio Page) Performance of contract (Art. 6(1)(b))
Click tracking and analytics for the registered user Performance of contract (Art. 6(1)(b))
Payment processing and invoicing Performance of contract + Legal obligation (Art. 6(1)(b) and (c))
Retention of accounting and tax data Legal obligation (Art. 6(1)(c)) โ€” 10 years per Italian D.P.R. 600/1973
Abuse prevention, security and rate limiting Legitimate interest of the Controller (Art. 6(1)(f))
Service communications (technical notices, renewals, expirations) Performance of contract (Art. 6(1)(b))
Transmission of conversion data to Facebook CAPI (only if enabled by the Pro user) Performance of contract (Art. 6(1)(b)) โ€” feature requested by the user

4. Retention period

  • Login sessions: automatically expire after 14 days of inactivity.
  • OTP / phone number history: OTP logs are deleted within 15 days of generation.
  • Raw visitor IP addresses: removed within 24 hours of collection; the anonymous hash remains associated with the click record.
  • Click and analytics data: retained for the duration of the contract. Deleted within 30 days of account cancellation.
  • Account data: retained for the duration of the contract and deleted within 30 days of a deletion request, unless legal obligations apply.
  • Billing data: retained for 10 years to comply with tax and accounting obligations.
  • Data sent to Facebook CAPI: once delivered to Meta Platforms, it is subject to Meta's Privacy Policy. Linkorilla does not retain a separate copy of transmitted data beyond what is already in conversion logs.

5. Recipients and data processors

Data may be shared with the following categories of recipients, acting as Data Processors pursuant to Art. 28 GDPR:

  • Stripe, Inc. (San Francisco, CA, USA) โ€” card payment processing. Stripe is PCI DSS Level 1 certified and adheres to the Standard Contractual Clauses (SCC). Privacy policy: stripe.com/privacy.
  • Twilio, Inc. (San Francisco, CA, USA) โ€” SMS delivery for OTP authentication. Adheres to the SCC. Privacy policy: twilio.com/legal/privacy.
  • Meta Platforms, Inc. (Menlo Park, CA, USA) โ€” recipient of conversion data via Facebook Conversions API, only for Pro users who explicitly enable this integration. Meta adheres to the SCC. Privacy policy: facebook.com/privacy/policy.
  • MaxMind, Inc. โ€” IP geolocation via the GeoLite2 database installed locally on our servers; no data is transmitted to MaxMind.
  • Hosting provider โ€” the servers hosting Linkorilla are located within the European Union.
  • SMTP provider โ€” for sending transactional emails (password reset, confirmations, invoices).

Data is not sold, leased or shared with third parties for marketing purposes.

6. Transfers to third countries

Some of the providers listed (Stripe, Twilio, Meta Platforms) are based in the United States. Transfers are governed by Standard Contractual Clauses (SCC) approved by the European Commission pursuant to Art. 46(2)(c) GDPR, which provide an adequate level of protection.

7. Cookies and similar technologies

For a full description of cookies used on linkorilla.com, see the Cookie Policy. In short, Linkorilla uses exclusively technical cookies that are necessary for the operation of the Service; no profiling or third-party tracking cookies are installed.

The Linkorilla Pixel โ€” an optional feature that can be installed on third-party sites โ€” does not drop cookies on the visitor's browser; it uses the browser's localStorage to temporarily store (7 days) the click reference for attributing conversions. If the Facebook CAPI integration is enabled, the Pixel reads (without writing) the _fbp and _fbc cookies that Meta may already have set in the visitor's browser.

8. Rights of the data subject

As a data subject you have the right to:

  • Access (Art. 15 GDPR): obtain confirmation of processing and a copy of your data.
  • Rectification (Art. 16 GDPR): correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten") (Art. 17 GDPR): request deletion of your data, unless retention is required by law.
  • Restriction of processing (Art. 18 GDPR): obtain suspension of processing in certain cases.
  • Portability (Art. 20 GDPR): receive your data in a structured, machine-readable format, or have it transmitted to another controller.
  • Objection (Art. 21 GDPR): object to processing based on legitimate interest.
  • Withdrawal of consent: where processing is based on consent, withdraw it at any time without affecting processing already performed.

To exercise your rights, write to privacy@linkorilla.com. We will respond within 30 days of receipt of the request, possibly extended by another 60 days in the cases provided for by Art. 12(3) GDPR.

9. Right to lodge a complaint with the supervisory authority

You have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali), headquartered at Piazza Venezia 11 โ€” 00187 Rome, website garanteprivacy.it, if you believe the processing of your data infringes the GDPR.

10. Security measures

We adopt appropriate technical and organizational measures to protect personal data against unauthorized access, loss, destruction or disclosure:

  • Encrypted connections via TLS/HTTPS on all communications.
  • Billing data and third-party access tokens encrypted at rest with AES-256-GCM.
  • Visitor IP addresses anonymized via hashing within 24 hours of collection.
  • Rate limiting on requests to prevent abuse and automated attacks.
  • Access to production systems limited to authorized personnel.

11. Changes to this Privacy Policy

The Controller reserves the right to amend this Privacy Policy. Substantial changes will be notified by email to the address associated with the account with at least 15 days' notice. Continued use of the Service after that period constitutes acceptance of the new version. The updated version is always available on this page, with the date of last modification.