Privacy Policy

This Policy explains what data YourDirect (“we”) collects when you use our service (“Service”), why we collect it, and what rights you have over it. We try to keep it short and readable; if anything is unclear, email hello@yourdirect.link.

1. Who we are

YourDirect is the operator of yourdirect.link. We are the data controller for the personal data described below.

2. What we collect

From creators (account holders)

• Email address — required to sign in via magic link.
• Plan + subscription metadata — your plan, status, renewal date, and the Lemon Squeezy customer ID associated with your account. We don’t store card numbers; Lemon Squeezy handles all payment details.
• Content you create — link slugs, destination URLs, landing-page text and photos, button labels, custom domains, campaign tags.
• Approximate IP address — when you load the dashboard we hash your IP and store the hash so you can use the “exclude my own clicks” filter in analytics. We do NOT store raw IPs.

From visitors clicking your links (“fans”)

• User-Agent string — used to detect device type, OS, browser, and in-app browser context so the redirect works reliably.
• Approximate country & region — derived from the IP at our hosting edge. The raw IP is hashed with a project-specific salt (SHA-256) and only the hash is stored; the IP itself never lands in our database or logs.
• Referrer host — when the browser sends one (most social apps strip it).
• UTM parameters and campaign tag — read from the URL query string if present.
• Click outcome — which escape strategy the bouncer chose (e.g. opened in real browser, landed on landing page).
• Timestamp.

Fan data is kept on a per-link basis and shown to the creator that owns the link in aggregate. We do NOT build cross-creator profiles or sell fan data.

3. Why we collect it (lawful basis under GDPR)

• To provide the Service (contract, Art. 6(1)(b)) — account email, content, subscription metadata.
• Legitimate interest (Art. 6(1)(f)) — fan-side analytics (hashed IP, geo, UA, referrer) for creators to understand and improve link performance. We balance this against fan privacy by hashing IPs and not building cross-link profiles.
• Legal obligation — invoices, tax records (handled by Lemon Squeezy as MoR).

4. Cookies and similar technologies

The public bouncer pages (yourdirect.link/<slug>) set NO cookies and run NO trackers. The dashboard (app.yourdirect.link) uses one functional storage item to keep you signed in (your Supabase session token inlocalStorage). No third-party advertising or analytics cookies are set anywhere.

5. Third parties we share data with

• Supabase — database + authentication. Hosted in the AWS region we configured.
• Vercel — hosting + edge network for the bouncer and dashboard.
• Lemon Squeezy — billing & tax (Merchant of Record). Handles your payment data directly.
• Namecheap — affiliate link for domain purchases (we receive a small commission if you buy through our link).

Each of these has their own privacy policies. We do not share personal data with anyone else, and we do not sell personal data.

6. International transfers

Some of our processors operate from the United States. Where required, transfers rely on Standard Contractual Clauses or other appropriate safeguards under GDPR.

7. How long we keep your data

• Account data — for as long as your account exists; deleted within 30 days of account deletion.
• Click data — kept indefinitely while your link is active so historical analytics work. You can delete a link any time, which removes all associated click data.
• Billing records — kept by Lemon Squeezy under their own retention schedule (typically 7 years for tax compliance).

8. Your rights

If you’re in the EU/UK/CA or another jurisdiction with similar laws, you have the right to:

• access the personal data we hold about you;
• correct or update inaccurate data;
• delete your account and associated data (right to erasure);
• export your data in a portable format;
• object to processing based on legitimate interest;
• lodge a complaint with your local data-protection authority.

Email hello@yourdirect.link to exercise any of these. We respond within 30 days.

9. Security

We use HTTPS everywhere, row-level security at the database layer, hashed IPs for fan analytics, and salted token-based authentication. We do not store passwords (we use magic-link email sign-in). No system is 100% secure; if you discover a vulnerability, please email us before disclosing publicly.

10. Children

The Service is not intended for users under 18. We do not knowingly collect data from anyone under that age. If you believe a child has provided us data, email us and we will delete it.

11. Changes to this Policy

Material changes will be announced by email or in-product notice and the “Last updated” date above will be revised.

12. Contact

Questions, requests, or complaints: hello@yourdirect.link.