GDPR Compliance
Last updated: February 5, 2026
Our commitment to GDPR
Sublynk is fully committed to GDPR compliance. As a France-based business, we have designed our platform with Privacy by Design and data protection as core principles.
Information about the data controller
Company: Sublynk – Micro-enterprise
Address: 19 rue Delandine, 69002 Lyon, France
Email: contact@sublynk.fr
GDPR contact / Privacy lead: contact@sublynk.fr
Personal data collected
We only collect personal data that is strictly necessary to operate the service:
- Account data : Email, first name, last name, password (hashed with bcrypt), creation date
- Organization data : Organization name, slug, billing email, time zone
- Customer data (your subscribers) : Telegram username (required), Telegram identifier (if available), display name (optional), email (optional — only if you provide it during checkout)
- Payment data : Stripe transaction identifiers, amounts, statuses (we do NOT store card numbers)
- Technical data : IP address (server logs), browser type, pages visited, timestamps
Cookies and trackers
We use cookies that are strictly necessary for the service to function, as well as audience measurement trackers (Google Analytics via Google Tag Manager) only after your consent, when required.
- Authentication / session cookie(s) : User authentication and session persistence – Duration: session / up to 7 days
- Language preference cookie (NEXT_LOCALE) : Stores your selected language – Duration: 1 year
✓ No advertising tracking is activated without your consent.
Legal basis for processing
We process personal data on the following legal bases:
- Performance of a contract (Art. 6(1)(b)): Account management, payment processing, Telegram channel access management, sending invitation links, and transactional notifications (Telegram; email only if provided)
- Legitimate interest (Art. 6(1)(f)): Service improvement, fraud prevention, security, technical logs and debugging
- Legal obligation (Art. 6(1)(c)): Retention of billing data (10 years), tax reporting
- Consent (Art. 6(1)(a)): Newsletter and marketing communications (opt-in only, unsubscribe anytime)
Data recipients
Your personal data may be accessed by:
- Sublynk internal team: Customer support and technical administration (limited to what is strictly necessary)
- Technical processors: Hosting, payments, email delivery (see dedicated section below)
- Legal authorities: Only upon a lawful request (court order, legal requisition)
We never sell your personal data to third parties.
Your rights under GDPR
As a data subject, you have full rights under GDPR. Here is how to exercise them:
Right of access (Art. 15)
Request a copy of the personal data we hold about you. Contact us at contact@sublynk.fr for a complete access request.
Right to rectification (Art. 16)
Correct inaccurate data directly in your dashboard (profile, organization), or contact us to update information you cannot edit yourself.
Right to erasure (Art. 17)
Request deletion of your account and associated data by contacting contact@sublynk.fr. We will delete or anonymize data within 30 days, except where legal retention is required (billing data: 10 years) or where necessary to handle disputes/fraud.
Right to data portability (Art. 20)
Request an export of your data in a structured format (JSON) by contacting us. This includes your account information, products, customers, and transaction history.
Right to object (Art. 21)
Object to processing based on legitimate interest. Contact us at contact@sublynk.fr and we will review your request within 30 days.
Right to restriction (Art. 18)
Request restricted processing while we verify data accuracy or assess an objection. Contact us at contact@sublynk.fr.
Processing activities and retention periods
| Activity | Data | Retention | Legal basis |
|---|---|---|---|
| Account management | Email, name, hashed password | Until account deletion + 30 days | Contract |
| Billing | Transactions, amounts, invoices (handled via Stripe; payment email collected by Stripe) | 10 years (tax obligation) | Legal obligation |
| Telegram access management | Telegram username (required), Telegram IDs (if available), invitation links; email only if provided | Subscription duration + 30 days | Contract |
| Technical logs | IP, user-agent, timestamps | 12 months | Legitimate interest |
| Customer support | Email exchanges | 3 years after last contact | Legitimate interest |
Processors
We use the following processors to provide our service. Each has appropriate safeguards for data transfers:
| Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Stripe | Payment processing, subscription management | USA | SCC (where applicable) + security measures (encryption, minimization); DPF where applicable depending on certification |
| Brevo (formerly Sendinblue) | Transactional email delivery (confirmations, invitation links) | France (EU) | EU hosting, GDPR-compliant |
| Vercel | Frontend hosting (website) | USA (Edge: global) | SCC + supplementary measures (TLS encryption, minimization) |
| Fly.io | API and Telegram bot hosting | Frankfurt region (EU) | Data hosted in the EU (depending on region configuration) |
| Neon (PostgreSQL) | Primary database | Frankfurt region (EU) | Data hosted in the EU, encryption at rest (depending on provider configuration) |
| Telegram | Bot API to manage channel access | Global | Minimal data (IDs only); we do not store message content |
International transfers
Some of our processors may be based in or operate outside the EU/EEA (e.g., Stripe, Vercel). For these transfers, we rely on appropriate safeguards such as:
- Data Privacy Framework (DPF): For certified companies, where applicable
- Standard Contractual Clauses (SCC): Approved by the European Commission
- Supplementary measures: Encryption in transit (TLS 1.3), data minimization, pseudonymization where possible
Security measures
We implement technical and organizational measures to protect your data:
- Encryption in transit (TLS 1.3) for all communications
- Encryption at rest when available with our providers (e.g., database)
- Passwords hashed with bcrypt (never stored in plain text)
- Authentication tokens with expiration and renewal mechanisms
- Strict access controls (least privilege principle)
- Security incident response procedures
Personal data breach notification
In case of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the CNIL within 72 hours and inform you without undue delay in accordance with Articles 33 and 34 of GDPR.
Exercise your rights / Contact us
For any request relating to your personal data or to exercise your GDPR rights:
Email: contact@sublynk.fr
Response time: Within 30 days maximum (as required by GDPR)
Cost: Free of charge (except for manifestly unfounded or excessive requests)
Supervisory authority
You have the right to lodge a complaint with the CNIL (French Data Protection Authority), our supervisory authority:
CNIL
3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
www.cnil.fr
Exercise your rights
To request access, export, or deletion of your data, contact us: