Privacy Policy

1. Data Controller

The data controller for your personal data is:

• Name: Andrii Andriievskyi (FOP — Ukrainian sole trader)
• Operating as: LinkGuard AI
• Country: Ukraine
• Privacy contact: privacy@linkguard.ai

2. What Data We Collect

2.1 Account Data

When you register, we collect:

• Email address
• Full name (if provided)
• Password — stored as a bcrypt hash; never stored in plaintext
• Google user ID (if you registered via Google OAuth)
• Telegram chat ID (if you registered via Telegram OAuth)

2.2 Billing Data

Payment is handled entirely by Paddle.com Market Limited as our Merchant of Record. We do not receive or store your card number, CVV, or full payment details.

From Paddle we receive only: transaction ID and status, the Token package purchased, billing country (for tax purposes), and invoice reference numbers.

2.3 Product Usage Data (User Data)

To run the monitoring service, we store what you submit:

• Donor URLs (source pages containing your backlink)
• Target URLs (pages your link points to)
• Anchor text and rel attribute values
• Link check history — status codes, detection timestamps, change events
• HTML snippets of checked pages (temporary, for debugging — auto-purged after 72 hours)
• SERP check results (indexed/not indexed status)

This data belongs to you and is treated as confidential.

2.4 Telegram Bot Data

If you connect the LinkGuard Telegram bot, we store your Telegram chat ID for sending alerts. This is collected only after you initiate the /start command.

2.5 Technical Logs

Automatically collected during your sessions:

• IP address
• User-Agent (browser and OS)
• Request timestamps and accessed endpoints
• Error logs (anonymized via Sentry — see §5)

Logs are retained for 30 days, then automatically deleted.

2.6 Google Search Console Data (optional connection)

If you choose to connect your Google Search Console account, you authorize us — through Google's official OAuth 2.0 consent screen and the read-only scope webmasters.readonly — to read the following data from the Search Console properties you own or are granted access to:

• Search Analytics performance metrics — clicks, impressions, click-through rate, and average position for your queries, pages, countries, and devices
• URL Inspection results — Google's index status and coverage details for URLs you ask us to inspect
• The list of Sites and Sitemaps registered in your Search Console account, and their submission/processing status

We use this data only to power the in-app features you requested — surfacing your own search-performance trends, indexation status, and sitemap health alongside your backlink monitoring. It is your own first-party Google data; connecting Search Console simply lets you view and act on it inside LinkGuard.

How it's stored. To keep your connection alive between sessions we store the OAuth refresh token encrypted at rest with Fernet (AES-128); access tokens are short-lived and held only in memory for the duration of a request. The performance and indexation data we fetch is cached only as long as needed to render your dashboards. All connection records use soft deletion — when you disconnect, the token is invalidated and the record is marked deleted, then permanently purged on our standard retention schedule (within 30 days).

We never sell or share it. Your Google Search Console data is treated as confidential User Data: we do not sell it, do not use it for advertising, do not share it with other customers, and do not use it to benefit competitors — consistent with §4 ("How We Use Your Data") of this policy and the Google API Services User Data Policy, including its Limited Use requirements.

How to revoke access. You can disconnect at any time:

• In LinkGuard: open Settings → Integrations → Google Search Console and click Disconnect. This immediately invalidates and deletes the stored refresh token.
• On Google's side: visit your Google Account permissions page and remove LinkGuard's access.

Disconnecting stops all further data access. Revoking on Google's side additionally guarantees any token we hold can no longer be refreshed.

3. Legal Basis for Processing (GDPR Art. 6)

For users in the European Economic Area (EEA):

You may withdraw consent for marketing emails at any time via the unsubscribe link in any email, or by emailing privacy@linkguard.ai.

4. How We Use Your Data

We use collected data to:

• Provide the Service — run automated checks, generate alerts, display dashboards
• Send notifications — email and Telegram alerts for link status changes
• Process billing via Paddle (we do not process payments ourselves)
• Improve the product using aggregated, anonymized usage statistics
• Ensure security — detect abuse, rate-limit malicious traffic, investigate suspicious activity
• Comply with legal obligations

We never:

• Sell your data to third parties
• Use your data for advertising targeting
• Share your monitored URLs or backlink data with other customers
• Use your backlink data to benefit competitors

5. Data Sharing — Third Parties

We share Personal Data only as described below. We do not use Google Analytics, Facebook Pixel, or any advertising tracking on the Service.

We may also disclose data when required by a valid court order from Ukrainian or international authorities, but only to the extent legally required.

6. Data Retention

When you request account deletion, we begin a 30-day grace period before permanent removal, during which you may reverse the request.

7. Your Rights (GDPR)

If you are located in the EEA or a jurisdiction with equivalent rights, you have the right to:

• Access — request a copy of all Personal Data we hold about you
• Rectification — request correction of inaccurate data
• Erasure — request deletion of your Personal Data; we will act within 30 days
• Restriction — request that we pause processing in certain circumstances
• Portability — receive your User Data in a machine-readable format (JSON or CSV)
• Object — object to processing based on legitimate interest
• Withdraw consent — for marketing, at any time via unsubscribe link or email
• Complaint — lodge a complaint with a supervisory authority:
  • Ukraine: Ukrainian Parliament Commissioner for Human Rights
  • EU: your local Data Protection Authority

To exercise any right, email privacy@linkguard.ai with subject "Privacy Rights Request." We will respond within 30 calendar days.

8. California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights:

• Right to Know — request disclosure of categories and specific pieces of Personal Data we have collected
• Right to Delete — request deletion of your Personal Data
• Right to Opt-Out of Sale — we do not sell Personal Data. No opt-out mechanism is required.
• Right to Non-Discrimination — we will not discriminate for exercising your privacy rights
• Right to Correct — request correction of inaccurate Personal Data

To submit a California privacy request, email privacy@linkguard.ai with subject "California Privacy Request."

9. International Data Transfers

Our primary infrastructure is hosted with DeltaHost in Ukraine on VPS servers. Sentry error tracking uses EU-region servers.

Data processed by Paddle and SendPulse is covered by their respective Data Processing Agreements and Standard Contractual Clauses. We apply supplementary measures recommended by the European Data Protection Board, including encryption in transit (TLS 1.2+) and at rest, strict access controls, and minimization of data transferred.

You may request a copy of the applicable SCCs and information on the supplementary measures in place by emailing privacy@linkguard.ai.

10. Cookies and Local Storage

We use the minimum cookies necessary to operate the Service:

We do not use analytics cookies, marketing cookies, retargeting pixels, or any third-party tracking technology. Full cookie details are in our Cookie Policy.

11. Children's Privacy

The Service is intended for business users aged 16 and older (18 where required by local law). We do not knowingly collect Personal Data from anyone under 16. If you believe a minor has provided us data, contact privacy@linkguard.ai immediately and we will delete it.

12. Security Measures

We implement the following to protect your data:

• Passwords hashed with bcrypt at a minimum of 12 rounds
• All data in transit encrypted with TLS 1.2+
• JWT authentication tokens stored in HTTPOnly cookies — not localStorage
• CSRF protection on all state-changing requests
• Rate limiting on authentication endpoints (5 attempts per minute)
• Account lockout after repeated failed login attempts
• Sentry error tracking configured to mask/anonymize sensitive fields
• Access to production systems restricted to authorized personnel only

13. Changes to This Policy

We may update this Privacy Policy periodically. For material changes, we will email registered users at least 14 days before the effective date and display a notice on the website. Your continued use after the effective date constitutes acceptance.

14. Contact

For any privacy-related inquiry, data request, or complaint:

• Privacy email: privacy@linkguard.ai
• Response time: Within 30 calendar days

Data Controller: Andrii Andriievskyi, FOP, Ukraine