Privacy statement for Privacylink
This privacy statement describes how Privacylink processes personal data in connection with account use, making messages available, sending transactional emails, language preferences and securing the service. The statement is intended for senders, recipients and other visitors to the website.
Privacylink is in beta.
The service is intended to test functionality, security and user experience in a controlled way. Features, copy and operational procedures may still change during this phase.
Do not use Privacylink during this beta for information with an exceptionally high risk profile, such as medical records, criminal-law data, full identity documents or large volumes of personal data.
Who is responsible for the processing
The controller for Privacylink is Softable, registered with the Dutch Chamber of Commerce under number 39096455. Softable is established in Almere and can be reached via info@softable.nl.
Privacylink is offered through privacylink.eu. Questions about this privacy statement or about the processing of personal data may be directed to Softable.
Which personal data is processed
Privacylink processes, among other things, sender account details, sender and recipient email addresses, subject lines, timestamps of actions, status information relating to verification and delivery, technical log data, security and audit data, and data needed to limit abuse. A recipient's email address is typically provided by the sender and is therefore not obtained directly from the recipient.
The confidential message content is encrypted in the sender's browser before storage takes place. The server therefore receives encrypted content and related technical data, but not the readable message content. A message subject remains readable metadata so that sender and recipient can identify the message.
Why this data is processed
Personal data is processed for account management, authentication, generating and temporarily making messages available, mailbox verification, sending confirmation emails, password emails, verification codes and open notifications, showing status information to the sender, and technically securing and operating the service.
For recipients, processing is necessary to make the sender's intended message available in a controlled way, perform mailbox verification and limit abuse. Depending on the situation, processing is based on performance of the agreement with the sender, on Softable's legitimate interest in enabling controlled delivery and preventing abuse or disruptions, and where necessary on legal obligations. Privacylink does not use personal data for advertising purposes or commercial profiling.
With whom data is shared
Privacylink uses Contabo for hosting and infrastructure, with hosting in Germany. Privacylink uses Brevo to send transactional emails. Brevo may process email addresses, send timestamps, subject lines and the content of service emails sent by Privacylink, such as confirmation emails, password reset emails, verification codes and open notifications. More information about privacy at Contabo.
Privacylink uses Cloudflare Turnstile to protect account and password pages against automated abuse. Brevo does not have access to the secret message content shared through a Privacylink, because that content is neither stored by Privacylink in readable form nor sent through Brevo. Where external service providers process personal data, this is done under appropriate arrangements with those providers. More information: More information about data storage at Brevo , GDPR at Brevo and privacy at Cloudflare.
How long data is kept
Messages remain available only temporarily and expire automatically according to the selected validity period. Once a message has been opened, revoked, locked or expired, the encrypted message content is removed from the database and can no longer be retrieved through the server. Verification codes are valid for ten minutes. Expired OTP records, temporary abuse counters and expired consume tokens are cleaned up periodically.
Status and audit data linked to a message may remain visible for management, error analysis, abuse prevention and accountability towards the sender. Account data and administrative data may be retained for longer for account management, continuity of the service and legal obligations. The website uses functional cookies for authentication, anti-forgery and language preferences; Privacylink does not use tracking cookies or advertising profiles.
Which technical restrictions are applied
Privacylink applies technical restrictions to limit spam, automated abuse, verification-code exhaustion and unwanted email sending. This includes daily limits, short-term rate limits, captcha checks, OTP limits per message, abuse counters and account limits.
For these security measures, Privacylink processes limited technical data, such as hashed email addresses, hashed IP addresses, user-agent data, timestamps, numbers of verification codes sent and numbers of messages created. This data is used for security, fraud prevention, error analysis and accountability, and not for advertising purposes.
Which rights data subjects have
Data subjects may ask Softable for access to their personal data and, where applicable, for rectification, erasure, restriction of processing, data portability or objection to processing based on legitimate interests. Where processing would be based on consent, that consent may be withdrawn. Privacylink does not apply automated decision-making or profiling that produces legal or similarly significant effects.
Where a recipient's personal data has not been obtained directly from that recipient, this is because the sender provided the email address for message delivery. Softable informs the recipient when the recipient opens the link and accesses the website. Requests relating to privacy rights may be directed to Softable. Additional information may be requested to verify the identity of the requester.
Use and functional limitations
Intended use
- The service is intended for lawful communication in which confidential information is shared temporarily and in a controlled manner.
- The sender remains responsible for the choice of delivery channel and for sharing the full link with due care.
- A message subject should be used as a recognizable label and not to include confidential content.
Use that is not intended or not allowed
- Use for spam, phishing, intimidation, malware or other unlawful activities is not allowed.
- The service is not intended to be the only protective measure for information with an exceptionally high risk profile.
- Softable does not guarantee absolute secrecy, uninterrupted availability or suitability for every conceivable category of confidential information.
Questions, requests and complaints
For privacy questions, data subject requests or reports of misuse, contact info@softable.nl.
Data subjects also have the right to lodge a complaint with the competent supervisory authority. In the Netherlands, this is the Dutch Data Protection Authority.
More information about complaints to the supervisory authority is available at autoriteitpersoonsgegevens.nl.