Privacy Policy
Last updated: May 29, 2026
At only.link ("we", "us", or "our"), we respect your privacy and are committed to protecting your personal data. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data.
1. Information We Collect
1.1 Account Information
When you create an account, we collect:
- Username: Your chosen username for your profile
- Email address: Optional, for account recovery and notifications
- Password: Stored as a bcrypt hash (10 rounds) — we never store plain-text passwords
- Avatar: Optional profile image (JPEG, PNG, or WebP, max 2MB)
1.2 Bookmark Data
When you save bookmarks, we collect:
- URL: The web address you're bookmarking
- Title: The title you give to the bookmark
- Description: Optional text description
- Tags: Keywords you associate with the bookmark
- Privacy setting: Whether the bookmark is public or private
- OpenGraph images: Thumbnail images automatically fetched from the bookmarked URL
- Timestamps: When the bookmark was created
1.3 Social Graph Data
When you interact with other users:
- Follows: Records of which users you follow and who follows you
- Public interactions: Visible only when viewing public profiles
1.4 Usage Data
We automatically collect:
- Session cookies: JWT tokens (7-day expiration) for authentication
- IP address: For security and rate limiting (5 login attempts per 15 minutes)
- Analytics data: Via Google Analytics (page views, browser type, general location)
2. How We Use Your Information
2.1 Core Functionality
- Provide bookmark management services
- Display your profile and public bookmarks
- Enable social features (following users, discovering bookmarks)
- Authenticate your account securely
2.2 Service Improvement
- Analyze usage patterns to improve features
- Monitor performance and fix bugs
- Understand which features are most valuable
2.3 Security
- Prevent unauthorized access and abuse
- Rate limit requests to prevent spam
- Enforce security policies (HTTPS, secure cookies)
2.4 Communication
- Send password reset tokens (if email provided)
- Notify you of important service updates (rarely)
3. Data Storage and Security
3.1 Security Measures
- Password hashing: bcrypt with 10 rounds (industry standard)
- HTTPS: All data transmitted over encrypted connections
- Secure cookies: HttpOnly cookies prevent XSS attacks
- Rate limiting: Protection against brute-force attacks
- Input validation: All user inputs are sanitized
- Helmet.js: Security headers (CSP, HSTS, X-Frame-Options)
3.2 Data Storage
- Database: SQLite with foreign key constraints and cascade deletes
- Avatars: Stored locally in
/uploads/avatars/ - Backups: Regular database backups (if configured)
- Location: Hosted on Hostinger VPS (data center location based on server choice)
4. Data Sharing and Disclosure
4.1 Public vs. Private Data
- Public bookmarks: Visible to anyone, appear on your profile and in public feeds
- Private bookmarks: Visible only to you when logged in
- Profile information: Username and avatar are always public
- Email address: Never shared publicly
4.2 Third-Party Services
- Google Analytics: Anonymous usage statistics (IP anonymized)
- OpenGraph fetching: We fetch thumbnails from bookmarked URLs
4.3 We DO NOT
- ❌ Sell your personal data
- ❌ Share your data with advertisers
- ❌ Track you across other websites
- ❌ Send marketing emails (unless you opt-in)
5. Your Rights and Choices
5.1 Access and Control
You can:
- View your data: All your bookmarks and profile info are accessible in your account
- Edit your data: Update username, email, avatar, and bookmarks anytime
- Export your data: Contact us for a JSON export of all your bookmarks
- Delete your account: Via Settings → Account → Delete Account (permanent and irreversible)
5.2 Privacy Controls
- Bookmark visibility: Choose public or private for each bookmark
- Default visibility: Set your preferred default in Settings
- Profile visibility: Your profile is public, but you control what bookmarks appear on it
6. Data Retention
- Active accounts: Data retained as long as your account exists
- Deleted accounts: All data (bookmarks, follows, avatar) permanently deleted within 30 days
- Password reset tokens: Expire after 1 hour and are cleaned up regularly
- Session cookies: Expire after 7 days of inactivity
- Backups: May contain deleted data for up to 30 days
7. Cookies and Tracking
7.1 Essential Cookies
- Authentication token: JWT cookie for keeping you logged in (7 days)
- Purpose: Required for the service to function
- Can be disabled: No, but you can log out to clear
7.2 Analytics Cookies
- Google Analytics: Tracks page views and usage patterns
- Purpose: Help us understand how the service is used
- Can be disabled: Yes, via browser extensions or Do Not Track
8. Children's Privacy
only.link is not intended for users under 13 years old. We do not knowingly collect data from children. If you believe a child has created an account, please contact us and we will delete it.
9. International Data Transfers
Your data is stored on servers that may be located outside your country. By using only.link, you consent to the transfer of your data to our hosting provider's data centers.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by updating the "Last updated" date at the top of this page. Continued use of the service after changes constitutes acceptance of the updated policy.
11. Your Legal Rights (GDPR/CCPA)
Depending on your location, you may have the right to:
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate data
- Erasure: Request deletion of your data ("right to be forgotten")
- Portability: Receive your data in a machine-readable format
- Objection: Object to processing of your data
- Restriction: Request limitation of data processing
To exercise these rights, contact us at the address below.
12. Contact Us
If you have questions about this Privacy Policy or your data, contact:
Anderson Cardelli Façanha
Email: kardelly@gmail.com
Website: https://onlylinks.id
13. Data Processing Summary
| Data Type | Purpose | Retention |
|---|---|---|
| Username, Password | Authentication | Until account deletion |
| Email (optional) | Recovery, notifications | Until account deletion |
| Bookmarks, Tags | Core service | Until deleted by user |
| Follow relationships | Social features | Until account deletion |
| Session cookies | Keep you logged in | 7 days or logout |
| Analytics data | Service improvement | 26 months (Google) |