LnkWatch

Privacy notice

Effective 7 July 2026 · last updated 8 July 2026 · UK GDPR

Who we are

LinkWatch ("we") operates linkwatch.dev from the United Kingdom and is the data controller for the personal data described here. Contact for anything in this notice: [email protected]. We are a small operation and do not have (or legally need) a Data Protection Officer; the same address reaches the people who run the service.

What we hold

  • Account email — for sign-in and digest delivery (lawful basis: contract).
  • Site URLs you add — to provide the monitoring you asked for (contract).
  • Usage and IP logs — rate limiting and abuse prevention (legitimate interests).
  • Read-only DNS/registrar tokens you choose to connect — encrypted at rest, decrypted only in memory to list your domains, never logged, revocable by you at any time (contract).
  • Scanned page content — we extract outbound links and affiliate parameters and discard the rest; we do not store full page HTML.

Crawling itself relies on legitimate interests: we read publicly served pages of sites our customers warrant they control, and make lightweight health checks against merchant pages, at polite volumes, honouring robots.txt for merchant checks. Pages we crawl can incidentally contain personal data (an author byline, a comment); we extract link data only and discard the rest. We make no automated decisions with legal or similarly significant effects.

Where it lives (the honest bit)

The web application runs on Vercel behind Cloudflare. Authentication is provided by Clerk. Scan data and account records are stored in a PostgreSQL database on infrastructure we operate ourselves in the United Kingdom — a self-hosted server in Bournemouth with disk encryption and access controls, not a hyperscale data centre. We disclose this because you deserve to know where your URLs are processed. Transactional email is delivered by our email provider; payments (when live) are processed by Stripe. We do not sell personal data, full stop.

Our processors are: Vercel (application hosting), Cloudflare (DNS and traffic proxy), Clerk (authentication), Amazon Web Services (secrets and backups), our transactional email provider, and Stripe once payments are live. Some of these are US companies, so limited personal data (for example your sign-in email, held by Clerk) leaves the UK. Where that happens we rely on the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, which each of these providers offers in their standard data-processing terms.

Retention and your rights

  • Account email and site lists are kept for the life of your account and deleted when you delete it.
  • Link-health event history is keyed on merchants and products, not on you; aggregated anonymised statistics survive account deletion because they contain no personal data.
  • Connected registrar tokens are deleted when you disconnect them or delete your account. Operational logs (IPs, rate-limit counters) are short-lived — weeks, not years.
  • You have the usual UK GDPR rights: access, correction, export, erasure, restriction, and objection (including to anything we do under legitimate interests). Write to [email protected] — we answer within a month. You can complain to the ICO (ico.org.uk), though we'd appreciate the chance to fix it first.

Cookies and email

We use strictly necessary cookies only (your sign-in session) — no marketing cookies, no consent banner needed. Digest emails contain no tracking pixels: we don't spy on opens. Every digest has an unsubscribe link.

Changes

If we change this notice materially we'll email account holders before the change takes effect and update the date at the top. The current version always lives at this address.