Privacy Policy

1. Introduction

Welcome to HushLink. This privacy policy explains how Vibrate, LLC ("Company", "we," "our," or "us") collects, uses, and safeguards your information when you use our service at hushlink.me.

Data Controller: Vibrate, LLC is the data controller responsible for your personal information. We are committed to protecting your privacy and complying with applicable data protection laws, including GDPR and CCPA/CPRA.

2. Information We Collect

2.1 Information You Provide

• Account information (name, email address)
• Content you upload (text, images, videos, documents)
• Payment information (processed securely through Stripe)
• Settings and preferences

2.2 Automatically Collected Information

• Usage data (views, unlocks, interactions)
• Device information (browser type, operating system)
• IP addresses and location data
• Cookies and similar tracking technologies
• Internet or other electronic network activity information (page views, referral sources, session duration)

2.3 Analytics Data

We use Vercel Analytics, a privacy-first, cookieless analytics service, to monitor site performance and user behavior. Vercel Analytics collects:

• Page views and navigation paths
• Referral sources (where visitors come from)
• Geographic location data (country/region level only, derived from IP address)
• Device type and browser information
• Session duration and interaction patterns

Important: Vercel Analytics does not use cookies, does not track individual users across sessions, and collects only anonymized, aggregated data. No personally identifiable information (PII) is collected by this service.

Legal Basis (GDPR): We process this analytics data based on our legitimate interest in monitoring site performance, improving user experience, and optimizing our platform. This processing does not override your fundamental rights and freedoms.

California Residents (CCPA/CPRA): The analytics data collected constitutes "internet or other electronic network activity information." Because this data is anonymized and aggregated, it does not constitute "personal information" under CCPA as it cannot reasonably identify, relate to, describe, or be linked to you. However, we disclose its collection for transparency.

3. How We Use Your Information

We use your information to:

• Provide and maintain our service
• Process your payments and transactions
• Send you notifications and updates
• Improve and optimize our platform
• Prevent fraud and ensure security
• Comply with legal obligations
• Provide analytics about your shared content

4. Data Storage and Security

We implement appropriate technical and organizational measures to protect your data:

• All content is encrypted during transmission and at rest
• Payment information is processed through Stripe and never stored on our servers
• Access to personal data is restricted to authorized personnel only
• Regular security audits and updates

5. Content Ownership and Control

You retain all ownership rights to the content you upload. We store your content only to provide our service. You can:

• Delete your content at any time
• Set expiration limits for your secrets
• Control who can access your content
• Export your data upon request

6. Third-Party Services

We use the following third-party services:

6.1 Payment Processing

Stripe, Inc. - For payment processing and payout management

• Purpose: Processing payments, managing Connect accounts, handling payouts
• Data Shared: Name, email, banking information, transaction details
• Privacy Policy: stripe.com/privacy

6.2 Cloud Storage

Supabase - For secure file hosting and database management

• Purpose: Storing your uploaded content securely
• Data Shared: Account information, uploaded files, metadata
• Privacy Policy: supabase.com/privacy

6.3 Analytics

Vercel Analytics - For privacy-first, cookieless website analytics

• Purpose: Monitoring site performance, understanding user behavior, optimizing platform experience
• Data Collected: Page views, referral sources, geographic region (country/region only), device type, browser information, session duration
• Key Features: Cookieless tracking, no cross-site tracking, anonymized and aggregated data only
• Privacy Policy: vercel.com/legal/privacy-policy

Note: Because Vercel Analytics is cookieless and does not collect personally identifiable information, you are not required to accept cookies for analytics purposes when using HushLink.

These third-party services have their own privacy policies governing their use of your information. We encourage you to review them.

7. Cookies and Tracking Technologies

We do not use cookies. HushLink does not set, store, or use cookies for any purpose, including analytics, advertising, preferences, or tracking.

7.1 Authentication

User authentication and session management are handled entirely by Supabase using secure, httpOnly tokens. These authentication tokens are managed by Supabase and are essential for you to access your account. Disabling these will prevent you from logging in.

7.2 Cookieless Analytics

We use Vercel Analytics, a completely cookieless analytics service. No cookies are set for analytics purposes. Vercel Analytics uses server-side tracking that does not require cookie consent under GDPR or ePrivacy regulations.

8. Data Retention

We retain your data for as long as your account is active or as needed to provide services. When you delete content or your account, we remove it from our active systems within 30 days. Backup copies may persist for up to 90 days.

8.1 Account Deletion & Data Retention

When you delete your HushLink account, the following occurs:

Immediately Deleted:

• All secret content you created
• Your notifications and activity history
• Your session data and access tokens
• Detailed transaction logs

Retained for Legal Compliance (7 years):

• Email address (for fraud prevention and re-registration tracking)
• Stripe Connect Account ID (for Stripe-related investigations)
• Aggregated financial summaries (total revenue, total payouts, transaction count)
• Account creation and deletion dates
• Deletion audit metadata (IP address, timestamp)

Why We Retain This Data:

• Legal and Regulatory Compliance: Tax authorities and financial regulations require retention of financial records for 7 years in most jurisdictions
• Fraud Prevention: Email addresses and IP data help prevent abuse and protect our platform
• Investigation Support: Stripe may contact us regarding disputes, chargebacks, or compliance matters related to your Connect account
• Legal Defense: Retained data may be necessary to establish, exercise, or defend legal claims

Your Stripe Account:

Deleting your HushLink account does NOT delete your Stripe Connect account. Your Stripe account remains active and is managed independently at dashboard.stripe.com. If you wish to close your Stripe account, you must do so separately through Stripe's platform. We retain your Stripe Account ID solely for compliance and investigation purposes.

Your Rights Regarding Retained Data:

• Request information about what data we retain: info@hushlink.me
• Request complete deletion with legal justification (we will evaluate based on applicable law)
• File a complaint with your local data protection authority if you believe your rights have been violated

9. Your Rights

9.1 General Rights (All Users)

You have the right to:

• Access your personal data
• Correct inaccurate data
• Request deletion of your data (subject to legal retention requirements)
• Object to data processing
• Export your data
• Withdraw consent at any time

9.2 Additional Rights for EU/EEA Residents (GDPR)

If you are located in the European Union or European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR):

• Right to Restriction: Request that we restrict processing of your data in certain circumstances
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests (including analytics)
• Right to Lodge a Complaint: File a complaint with your local supervisory authority

To exercise these rights, contact us at info@hushlink.me

9.3 Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information we collect, use, disclose, and sell
• Right to Delete: Request deletion of your personal information (subject to exceptions for legal compliance, fraud prevention, and security)
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: We do not sell or share your personal information for cross-context behavioral advertising
• Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes other than those permitted by law
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights

Notice at Collection (CCPA Requirement): We collect the following categories of personal information:

• Identifiers (name, email, IP address)
• Financial information (Stripe Connect Account ID, transaction summaries)
• Internet or electronic network activity (page views, device information via Vercel Analytics)
• Commercial information (transaction history, payment records)
• User-generated content (uploaded files, secret content)

Business Purpose: This information is collected to provide our content-sharing platform, process payments, prevent fraud, comply with legal obligations, and improve our services.

To exercise your California privacy rights, contact us at info@hushlink.me with "California Privacy Request" in the subject line.

10. Children's Privacy

Our service is not intended for users under 18 years of age. We do not knowingly collect information from children under 18. If you believe we have collected such information, please contact us immediately.

11. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place for such transfers.

12. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes by email or through a notice on our platform. Continued use after changes constitutes acceptance.

13. Contact Us

If you have questions about this privacy policy or our data practices, please contact Vibrate, LLC at:

For GDPR-related inquiries: EU/EEA residents may contact us at the above email address to exercise their data protection rights or lodge a complaint with their local supervisory authority.