Privacy Policy

This Privacy Policy describes how LinkNest (“we,” “us,” or “our”) collects, uses, stores, and shares information in connection with the LinkNest web application (the “Service”). LinkNest is operated by Oui Digital, a doing-business-as (“DBA”) of Kalyxo LLC, a California limited liability company.

It applies to:

• Registered users who create and manage LinkNest accounts and pages
• Visitors who view publicly published LinkNest pages

This policy applies only to the Service as currently implemented and does not cover third-party websites or services linked from user pages.

When you create or use an account, we collect:

• Name
• Email address
• Password (stored only as a bcrypt hash, where applicable)
• Profile image (if provided through Google or GitHub OAuth)
• Workspace name, page titles, bios, links, text, images, and other content you choose to create

Depending on the login method you use, we collect:

• OAuth profile data from Google or GitHub (name, email address, profile image)
• Authentication tokens provided by OAuth providers
• Verification tokens for email verification or magic link login (temporary)

On publicly published pages only, we collect limited usage data:

• Page views
• Link click events (including the link label, destination URL, and internal block identifier)

Analytics are implemented using PostHog with memory-only persistence. No analytics cookies or local storage are used.

We collect limited technical data for security and abuse prevention purposes:

• IP address of a visitor who submits an abuse report (stored to enforce rate limits)
• Error logs, stack traces, and performance data collected via Sentry

We do not log or store IP addresses of general page visitors at the application level.

We use collected information to:

• Provide and operate the Service
• Authenticate users and secure accounts
• Display user-created public pages
• Process subscriptions and manage billing status
• Monitor usage and performance of public pages
• Detect, prevent, and respond to abuse, fraud, or technical issues

Only content that a user explicitly publishes is publicly visible. Public information may include:

• Page title, bio, avatar image
• Links, text blocks, headers, images, and other published content
• Custom URL slug and SEO metadata

Unpublished pages, dashboards, analytics, billing information, and account settings are private and accessible only to the authenticated user.

We use authentication cookies set by our authentication provider to keep users logged in. These cookies are:

• HTTP-only and secure
• Required for the Service to function

We do not use analytics cookies. Analytics data is collected in memory only and discarded when a visitor leaves the page.

We do not use advertising cookies or third-party tracking pixels.

We rely on the following third-party services to operate the Service:

• Neon (PostgreSQL database hosting)
• Cloudflare R2 (image and file storage)
• Google OAuth and GitHub OAuth (authentication)
• Emailit (transactional email delivery)
• Stripe (payment processing and billing)
• PostHog (analytics for public pages)
• Sentry (error monitoring and performance diagnostics)
• Upstash (rate limiting infrastructure)
• Google Safe Browsing (URL threat classification)
• Google Fonts (font delivery)
• Hosting provider (application hosting and network delivery)

Each provider processes data according to its own privacy policies.

Payments are processed entirely by Stripe. We do not collect or store credit card numbers or payment credentials.

We store limited billing-related information, including:

• Stripe customer ID
• Subscription status, plan, and billing period
• Workspace identifier associated with a subscription

We do not currently enforce a fixed data retention schedule.

• Account data and user-generated content remain stored until deleted by the user (where deletion is available)
• Verification tokens expire automatically
• Rate-limit data expires automatically
• Analytics and error data retention is controlled by third-party providers

We implement reasonable technical and organizational measures, including:

• HTTPS encryption for data in transit
• SSL-encrypted database connections
• Hashed password storage (bcrypt)
• Authentication and authorization checks on all protected routes
• Server-side input validation and file upload controls
• Rate limiting on sensitive operations

No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

Depending on your location, you may have rights to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your personal information
• Opt out of certain data uses where applicable

At this time, account deletion and data export tools are not implemented. Requests must be made by contacting us directly.