Legal

Privacy Policy

This notice explains what personal data Lynko collects, why, and your rights under the UK GDPR and the Data Protection Act 2018. Lynko Ltd ("Lynko", "we") is the data controller for our website and accounts. For leads submitted to a card holder via the "Share your contact" form, the card holder is the controller and Lynko acts as their processor.

Who we are

Lynko Ltd, United Kingdom. Contact: privacy@lynko.com. ICO registration: pending (we will publish our number on registration).

What we collect and why

• Account data (email, name, password hash, profile content) — to provide the service. Lawful basis: contract (Art. 6(1)(b)).
• Billing data (Stripe customer ID, subscription status, invoices) — to take payment and meet tax obligations. Lawful basis: contract + legal obligation (Art. 6(1)(b) and (c)). Card numbers never touch our servers; they are handled by Stripe.
• Card-tap analytics — we count taps and store a coarse device bucket (mobile/desktop), source (NFC/QR/direct) and approximate country. We do not store IP addresses, browser fingerprints, or visitor identifiers. This is aggregate analytics under legitimate interest (Art. 6(1)(f)).
• Leads (name, email, phone, company, message a visitor submits to a card holder) — to deliver the message to the card holder. Lawful basis: the visitor's explicit consent (Art. 6(1)(a)). We log the consent text + timestamp as proof.
• Support emails — to reply. Lawful basis: legitimate interest.

Cookies and tracking

We only use strictly-necessary storage: a session token in localStorage to keep you signed in, and a Stripe checkout cookie when you're paying. We do not use third-party advertising cookies and we do not run cross-site tracking. Because nothing we store is non-essential, no cookie banner is required under PECR.

Who we share data with (processors)

• Lovable Cloud / Supabase — database, authentication, file storage (EU/US).
• Stripe Payments UK Ltd — payments, subscriptions, tax (UK/EU/US).
• Cloudflare — content delivery, DDoS protection (global).

We have written processor agreements with each. International transfers outside the UK rely on the UK IDTA or the EU SCCs + UK Addendum.

How long we keep data

• Account + profile content: while your account is active, deleted on request.
• Card-tap analytics: 13 months, then aggregated.
• Leads: until the card holder deletes them (or you ask us to).
• Invoices and tax records: 6 years (HMRC requirement).

Your rights

You have the right to: access, rectify, erase, restrict, port, and object to processing of your personal data, and to withdraw consent at any time. You can delete your account from the dashboard (Overview → Delete account). To exercise any other right, email privacy@lynko.com — we respond within one month.

You can complain to the UK Information Commissioner's Office at ico.org.uk or 0303 123 1113.

If you're outside the UK

Lynko serves card holders and visitors across the EEA. Our EU Article 27 representative is being appointed; their details will be published here. For now, EU residents can also contact us at privacy@lynko.com.

Children

Lynko is not for under-13s. If you believe a child has signed up, email us and we will remove the account.

Changes

Material changes are announced by email to account holders at least 14 days before they take effect.

Last updated: 14 June 2026 · Version 2026-06-14-v1