Privacy Policy

Last updated: March 2026

MaybeDeep ("we", "us", "our") operates the smart deep link service at maybedeep.link. This Privacy Policy explains what data we collect, how we use it, and your rights.

1. What data we collect

When someone clicks a MaybeDeep link, we record:

• Truncated IP address — the last octet of IPv4 addresses is zeroed (e.g., 192.168.1.x becomes 192.168.1.0) and IPv6 addresses are trimmed to the first 4 groups. The truncated IP is then hashed with SHA-256 + a secret salt. We never store full IP addresses.
• Device type — iOS, Android, or desktop.
• Browser family — e.g., Chrome, Safari, Firefox. No version numbers.
• Country — ISO country code (when GeoIP is enabled). No city-level data.
• Click timestamp — date and time of the click.
• Referrer domain — the domain (not full URL) that sent the user to the link.

2. What we do NOT collect

• Full IP addresses — never stored, only truncated + hashed.
• Cookies on redirect pages — we do not set tracking cookies. The only cookie is a session-scoped unlock token for password-protected links.
• Device fingerprints — no canvas, WebGL, or font fingerprinting.
• Cross-site tracking — no tracking pixels, no third-party analytics.

3. Legal basis (GDPR)

We process click analytics data under legitimate interest (Article 6(1)(f) GDPR). Link creators have a legitimate interest in understanding how their links perform. We minimize the data collected to what is strictly necessary for this purpose.

For registered users, account data (email, name) is processed under contract performance (Article 6(1)(b) GDPR).

4. Data retention

• Raw click records: 90 days, then deleted.
• Aggregated analytics: 24 months (click counts per day, device breakdown).
• Account data: retained while account is active. Deleted within 30 days of account deletion.

5. Your rights

Under GDPR, you have the right to:

• Access — request a copy of data we hold about you.
• Erasure — request deletion of your account and associated data.
• Objection — object to processing of click data for your links.
• Portability — receive your data in a machine-readable format.

To exercise these rights, email noreply@example.com.

6. Third-party services

• Clerk — authentication. Their privacy policy: clerk.com/legal/privacy
• Stripe — payment processing. Their privacy policy: stripe.com/privacy
• Google Web Risk — URL safety scanning. Only the URL is sent, no user data.

7. Contact

For privacy inquiries: noreply@example.com