Privacy Policy
NFMM LLC, a limited liability company incorporated in the State of Delaware, United States of America (“Company,” “we,” “us,” or “our”), operates the LinksDrop service (the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you use the Service. It applies to all visitors to our website and all users of our platform.
This policy is designed to comply with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Delaware Personal Data Privacy Act (DPDPA), and other applicable US state privacy laws (including those of Colorado, Connecticut, Virginia, Texas, and other states with comprehensive privacy legislation).
Please read this policy carefully. If you disagree with its terms, you should discontinue use of the Service.
1. Data Controller and Contact Information
NFMM LLC is the data controller for personal data we collect directly from you as a customer of the Service (account data, billing data, and your use of the platform).
For questions, data requests, or complaints relating to this Privacy Policy, contact us at:
- Email: info@linksdrop.io
- Entity: NFMM LLC, State of Delaware, USA
Delaware residents may also submit privacy complaints to the Delaware Department of Justice at privacy@delaware.gov.
1.1 EU and UK Representative (GDPR / UK GDPR Article 27)
NFMM LLC is established in the United States and does not have an establishment in the European Union or the United Kingdom. In accordance with Article 27 of the GDPR and Article 27 of the UK GDPR, where we offer the Service to data subjects in the EEA or the UK, we have designated an Article 27 Representative to act as the point of contact for data subjects and supervisory authorities on matters related to this Privacy Policy.
EU / EEA Representative: [Pending appointment - to be designated before the Service is offered to data subjects in the EEA. Until designation is complete, EEA data subjects may contact NFMM LLC directly at info@linksdrop.io.]
UK Representative: [Pending appointment - to be designated before the Service is offered to data subjects in the United Kingdom. Until designation is complete, UK data subjects may contact NFMM LLC directly at info@linksdrop.io.]
Once appointed, the name and contact details of each Representative will be inserted in this section. Data subjects retain the right to contact NFMM LLC directly in addition to, or instead of, the Representative.
2. Our Role: Controller vs. Processor
We act in two distinct capacities depending on the data involved:
- As data controller - for personal data we collect directly from you as a customer (your account information, billing data, support communications, and your use of our platform).
- As data processor (or “service provider” under US state privacy laws) - for analytics data about visitors who click short links or view landing pages created by you. In this capacity, you (our customer) are the data controller, and we process visitor data on your behalf and according to your instructions as described in our Terms of Service, Section 9 (Data Processing Terms).
This Privacy Policy primarily describes our practices as a data controller. For information about how we process visitor analytics data on behalf of our customers, see Section 5 below.
3. Data We Collect
We collect personal data in the following categories:
3.1 Account Data
Name, email address, password (stored as a cryptographic hash, never in plaintext), preferred language, and account creation date, provided when you register. If you use the Service on behalf of an organization, we may also collect the organization name.
3.2 Billing Data
Payment method details are processed and stored by our payment processor, Stripe, Inc. We store only your Stripe customer reference ID, subscription status, plan information, and billing history (invoices and payment dates). We do not store your full credit card number on our servers.
3.3 Usage Data
Links you create, landing pages, campaigns, custom domains, uploaded files (such as PDF documents and images), and other content you submit through the Service.
3.4 Click Analytics Data (Processed on Behalf of Customers)
When a short link or landing page is accessed by a visitor, we record:
- A keyed HMAC-SHA256 hash of the visitor’s IP address and User-Agent string, computed using a per-instance secret salt. Raw IP addresses and User-Agent strings are not retained after the hash is generated. We treat the resulting hashes as pseudonymized data under Article 4(5) of the GDPR: re-identification is not feasible without access to the secret salt held by NFMM LLC, but the data remains personal data and continues to be protected accordingly.
- The referrer URL.
- Approximate geolocation and network information derived from the IP address at the time of the click, including country, city, coordinates, internet service provider, network/organization name, connection type, and local time zone.
- Device type, browser name, and operating system.
- Timestamp of the visit.
- A risk classification derived from the IP address (such as VPN, proxy, Tor, relay, anonymizer, known-attacker, or cloud-hosting status, and an aggregate threat score) at the time of the click.
3.5 Landing Page Lead Data
If a visitor submits a contact form on a landing page created by one of our customers, we collect the information the visitor provides (such as name, email, and message). This data is processed on behalf of the customer who created the landing page. A hashed IP address is recorded for spam prevention.
3.6 Log Data
Server logs containing timestamps, request paths, HTTP status codes, and error information. Raw IP addresses are not retained in long-term log storage.
3.7 Cookies and Local Storage
We use a limited number of cookies and browser storage mechanisms. See Section 7 (Cookies) for details.
4. Legal Basis for Processing (GDPR / UK GDPR)
For individuals in the European Economic Area (EEA) and the United Kingdom, we process personal data on the following legal bases:
- Contract performance (Art. 6(1)(b) GDPR) - processing necessary to provide the Service you have subscribed to, including account management, billing, and delivering features.
- Legitimate interests (Art. 6(1)(f) GDPR) - security monitoring, fraud and abuse prevention, service improvement, and aggregated analytics. We conduct balancing tests to ensure our interests do not override your fundamental rights.
- Legal obligation (Art. 6(1)(c) GDPR) - retaining billing records as required by applicable tax and accounting law.
- Consent (Art. 6(1)(a) GDPR) - where we ask for it explicitly, such as for optional marketing communications. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
5. Click Tracking and End-User (Visitor) Privacy
When visitors click a short link or view a landing page created by one of our customers, we collect analytics data on the customer’s behalf (see Section 3.4). In this context:
- Our customers are the data controllers for their visitors’ analytics data. We act as the data processor.
- Raw IP addresses are not retained. We apply an HMAC-SHA256 hash with a per-instance secret salt immediately upon receipt; the unhashed IP address is not written to persistent storage. The resulting hash is treated as pseudonymized personal data: re-identification is not feasible without access to the secret salt held by NFMM LLC.
- Geolocation is derived from the IP address at the time of the click using a third-party geo-IP service. The IP is used for the lookup and then immediately hashed; it is not retained in its original form.
- Bot detection identifies known automated crawlers and tools by User-Agent pattern matching to exclude non-human traffic from analytics. No automated decisions with legal or similarly significant effects are made based on this detection.
- Unique click deduplication uses hashed fingerprints within a 24-hour window to distinguish unique visitors from repeat visits. This is done using hashed, non-reversible data only.
If you are a visitor who clicked a short link and have questions about how your data is used, please contact the person or organization that created the link. As a platform, we process visitor analytics data solely on behalf of our customers and in accordance with our Data Processing Terms.
6. How We Use Your Data
- To create and manage your account and deliver the Service.
- To process payments and manage subscriptions.
- To provide click and analytics reports to you as a customer.
- To detect and prevent abuse, spam, phishing, and security threats.
- To send transactional emails (account activation, password reset, billing receipts, domain verification notifications, and subscription status changes).
- To comply with legal obligations, respond to legal process, and enforce our Terms of Service.
- To improve and develop the Service using aggregated, de-identified insights that cannot be linked back to any individual.
We do not sell, rent, or otherwise share your personal data with third parties for their own marketing purposes. We do not engage in “sharing” of personal information for cross-context behavioral advertising as defined under the CCPA/CPRA.
CPRA disclosure: NFMM LLC has not sold personal information and has not shared personal information for cross-context behavioral advertising in the preceding twelve (12) months, and has no current plans to do so. We have not sold or shared the personal information of consumers under sixteen (16) years of age. If our practices ever change, we will provide the disclosures and opt-out mechanisms required by applicable law before any sale or sharing occurs.
7. Cookies
7.1 Cookies We Use
We use only strictly necessary cookies required for the Service to function. We do not use advertising, analytics, or third-party tracking cookies.
| Cookie Name | Purpose | Type | Duration |
|---|---|---|---|
.AspNetCore.Identity.Application |
Session authentication - keeps you logged in | Strictly necessary | Session / persistent (based on “Remember me”) |
.AspNetCore.Antiforgery.* |
CSRF protection - prevents cross-site request forgery attacks | Strictly necessary | Session |
.AspNetCore.Culture |
Language preference - stores your selected display language | Strictly necessary | Persistent (365 days) |
7.2 Local Storage
We use browser local storage for UI preferences (such as sidebar state and tutorial mode settings). This data remains on your device and is not transmitted to our servers.
7.3 Your Choices
Because we use only strictly necessary cookies, no consent banner is required. You can configure your browser to refuse cookies, but this will prevent you from logging in to the Service. Clearing local storage will reset your UI preferences.
8. Data Sharing and Sub-processors
We share personal data only with the following categories of recipients and only to the extent necessary to operate the Service:
| Sub-processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Stripe, Inc. | Payment processing | Name, email, payment method, billing address | USA |
| Postmark (ActiveCampaign) | Transactional email delivery | Email address, email content | USA |
| IP Geolocation Service Provider | IP-to-location enrichment for click analytics | IP address (queried, not stored by us after enrichment) | USA, EU, and other jurisdictions via the provider’s global network |
| Amazon Web Services (AWS) | Hosting, storage, database, content delivery | All service data (encrypted at rest and in transit) | USA |
| Law enforcement | Legal compliance | As required by applicable law or valid legal process | Varies |
We enter into written data processing agreements with our sub-processors where such agreements are made available, requiring data protection standards no less protective than those described in this policy. Where a sub-processor does not offer a standalone data processing agreement, we rely on its published contractual terms and privacy commitments and monitor its practices on an ongoing basis. Stripe acts as an independent data controller for payment data it processes; see stripe.com/privacy.
We will notify customers of new sub-processors by updating this section and, where materially relevant, by email, at least fourteen (14) days before the new sub-processor begins processing data.
9. International Transfers
NFMM LLC is based in the United States. Your personal data is processed and stored in the US.
9.1 Transfers from the EEA, UK, and Switzerland
When we receive personal data from individuals located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we rely on the following lawful transfer mechanisms:
- Standard Contractual Clauses (SCCs) - approved by the European Commission (Commission Implementing Decision (EU) 2021/914), supplemented by additional technical and organizational measures where appropriate.
- UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs - for transfers from the United Kingdom.
Our sub-processors are also bound by appropriate transfer safeguards, including SCCs or their own applicable adequacy mechanisms.
You may request a copy of the applicable transfer safeguards by contacting us at info@linksdrop.io.
9.2 Supplementary Measures
In addition to contractual safeguards, we implement the following supplementary measures to protect transferred data: encryption in transit (TLS 1.2+), encryption at rest for stored data, pseudonymization of click analytics data (IP hashing), strict access controls, and regular security assessments.
10. Data Retention
| Data Type | Retention Period | Basis |
|---|---|---|
| Account data | Duration of account + 30 days after account deletion request, unless legal retention obligations apply | Contract performance; legal obligation |
| Click analytics (raw events) | 30–730 days depending on subscription plan, then automatically purged | Contract performance |
| Aggregated analytics | Indefinite (contains no personal data) | Legitimate interest |
| Landing page leads | Duration of the customer’s account + 30 days after deletion | Contract performance |
| Billing records | 7 years | Tax and accounting law |
| Server logs | 30 days | Security; legitimate interest |
| Geo-IP cache | Automatically purged by scheduled cleanup job | Contract performance |
When you delete your account, we initiate deletion of your personal data within 30 days. Some data may be retained longer if required by applicable law (e.g., billing records for tax compliance) or if retained in anonymized, aggregated form. Backup copies are purged according to our standard backup retention cycle (not exceeding 90 days).
11. Your Privacy Rights
11.1 Rights for EEA and UK Residents (GDPR / UK GDPR)
If you are located in the EEA or UK, you have the following rights:
- Access - request a copy of the personal data we hold about you.
- Rectification - request correction of inaccurate or incomplete data.
- Erasure (“right to be forgotten”) - request deletion of your data where no legal ground for retention exists.
- Restriction - request that we restrict processing in certain circumstances.
- Data portability - receive your data in a structured, commonly used, machine-readable format.
- Objection - object to processing based on legitimate interests.
- Withdraw consent - where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
- Lodge a complaint - you have the right to lodge a complaint with your local supervisory authority.
11.2 Rights for California Residents (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act provides you with the following rights:
- Right to Know - request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose for collection, and the categories of third parties with whom we share it.
- Right to Delete - request deletion of personal information we have collected from you, subject to certain exceptions.
- Right to Correct - request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing - we do not sell your personal information and do not share it for cross-context behavioral advertising. Therefore, no opt-out is necessary; however, if our practices change, we will provide the required opt-out mechanism.
- Right to Non-Discrimination - we will not discriminate against you for exercising your CCPA/CPRA rights.
To submit a request, use the Data & Privacy section in your account settings or email info@linksdrop.io. We will verify your identity before processing your request. We will respond within 45 days (extendable by an additional 45 days with notice).
Categories of personal information collected in the preceding 12 months: Identifiers (name, email); commercial information (subscription and billing history); internet or network activity (click analytics, usage data); geolocation data (approximate, derived from IP); inferences (aggregate analytics trends). We do not collect sensitive personal information as defined under the CCPA/CPRA (such as Social Security numbers, financial account credentials, precise geolocation, racial/ethnic origin, or biometric data).
11.3 Rights for Delaware Residents (DPDPA)
If you are a Delaware resident, the Delaware Personal Data Privacy Act provides you with the following rights:
- Confirm and access - confirm whether we are processing your personal data and access that data.
- Correct - correct inaccuracies in your personal data.
- Delete - request deletion of your personal data.
- Data portability - obtain a copy of your data in a portable, readily usable format.
- Opt out - opt out of: (a) the sale of personal data, (b) targeted advertising, and (c) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects. We do not currently sell personal data, use data for targeted advertising, or engage in profiling that produces legal or similarly significant effects.
- Know third parties - obtain the categories of third parties to whom we have disclosed your personal data.
- Appeal - if we deny your request, you may appeal by emailing info@linksdrop.io with the subject “Privacy Rights Appeal.” We will respond to your appeal within 60 days. If the appeal is denied, you may file a complaint with the Delaware Department of Justice at privacy@delaware.gov.
11.4 Rights for Residents of Other US States
If you reside in Colorado, Connecticut, Virginia, Texas, Montana, Oregon, or another US state with comprehensive privacy legislation, you may have similar rights to access, correct, delete, and port your personal data, and to opt out of the sale of personal data, targeted advertising, and certain profiling. We honor these rights as described above. To exercise your rights, use the Data & Privacy section in your account settings or contact us at info@linksdrop.io.
11.5 Universal Opt-Out Signals
We recognize and honor browser-based universal opt-out preference signals, including the Global Privacy Control (GPC), as valid requests to opt out of the sale of personal data and targeted advertising where required by applicable law. Because we do not currently sell personal data or engage in targeted advertising, a GPC signal will not change the functionality of the Service, but it will be logged and respected if our practices change.
11.6 Authorized Agents
You may designate an authorized agent to submit privacy rights requests on your behalf. We may require proof of authorization (such as a signed written authorization or power of attorney) and may verify your identity directly before processing the request.
11.7 How to Exercise Your Rights
For all jurisdictions, you may exercise your rights by:
- Using the Data & Privacy tools in your account settings (available at
/tenant-admin/data-privacy). - Emailing us at info@linksdrop.io.
We will respond to verified requests within 30 days (GDPR) or 45 days (US state privacy laws), with extensions where permitted by law. We will not charge a fee for processing your request unless the request is manifestly unfounded or excessive.
12. Security
We implement industry-standard technical and organizational security measures, including:
- TLS 1.2+ encryption for all data in transit.
- Encryption at rest for stored data.
- Cryptographic password hashing (not stored in plaintext).
- HMAC-SHA256 hashing of IP addresses and User-Agent strings with a per-instance secret salt.
- Role-based access controls and the principle of least privilege.
- Rate limiting and abuse detection.
- CSRF protection on all state-changing operations.
- Regular security reviews and updates.
No system is perfectly secure. We cannot guarantee absolute security, but we are committed to protecting your data and will continuously improve our security practices.
13. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
- Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34.
- Notify affected individuals and applicable state attorneys general within the timeframes required by applicable US state breach notification laws.
Breach notifications will include the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address the breach.
14. Automated Decision-Making
We use automated processing for the following purposes:
- Bot detection - automated User-Agent pattern matching to identify known crawlers and bots. This is used solely to filter non-human traffic from analytics and has no legal or similarly significant effect on any individual.
- Abuse detection - automated systems to detect phishing, malware, and other abusive links. Links flagged by these systems may be disabled. Account holders can contact us to appeal such actions.
- Click deduplication - automated fingerprint comparison within a 24-hour window to distinguish unique visits from repeat visits, using hashed (non-reversible) data only.
We do not engage in solely automated decision-making that produces legal or similarly significant effects on individuals, as described in GDPR Article 22. No decisions about account access, content moderation, or service availability are made without the possibility of human review.
15. Children’s Privacy
The Service is not directed at children. You must be at least eighteen (18) years old to create an account (see our Terms of Service, Section 1).
We do not knowingly collect personal data from children under 13. If we learn that we have collected personal data from a child under 13 without verifiable parental consent, we will delete it promptly.
Under the Delaware DPDPA, personal data of a known child under 13 is automatically classified as sensitive data requiring verifiable parental consent. For children aged 13–17, the DPDPA requires opt-in consent before processing data for targeted advertising or the sale of personal data. Because we do not engage in targeted advertising or sell personal data, and because our Service requires users to be 18+, these provisions are generally not applicable to our direct data collection. However, if we become aware that a minor’s data has been collected, we will take appropriate steps to delete it or obtain the required consent.
16. Sensitive Data
We do not intentionally collect sensitive personal data as defined under the GDPR (special categories of data including racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or data concerning sex life or sexual orientation), the DPDPA (which additionally includes transgender or nonbinary status, citizenship or immigration status, and precise geolocation), or the CCPA/CPRA (sensitive personal information).
If you voluntarily include sensitive information in content you create on the Service (such as in landing page descriptions), you are responsible for ensuring that you have a lawful basis to process such data and that you have obtained any necessary consent from the individuals involved.
17. Do Not Track
Some browsers offer a “Do Not Track” (DNT) signal. Because there is no industry standard for how to respond to DNT signals, we do not currently alter our data collection or use practices in response to DNT signals. We do, however, honor Global Privacy Control (GPC) signals as described in Section 11.5.
18. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Updating the “Last updated” date at the top of this page.
- Sending an email to the address associated with your account at least fifteen (15) days before material changes take effect.
Continued use of the Service after the effective date of changes constitutes your acceptance of the revised policy. If you do not agree to the revised policy, you must stop using the Service and delete your account.
19. Contact & Company Information
For any questions, data subject requests, or complaints relating to this Privacy Policy, please contact us:
- Company
- NFMM LLC
- State of Formation
- Delaware, United States of America
- Date of Formation
- April 16, 2026
- Effective Date
- April 1, 2026
- Principal Office
- 8 The Green, Suite A, City of Dover, Delaware 19901, USA
- Registered Agent
- Registered Agent Inc
- Privacy & data requests
- info@linksdrop.io
Delaware residents: You may also submit complaints to the Delaware Department of Justice, Consumer Protection Unit, at privacy@delaware.gov.
EEA/UK residents: You have the right to lodge a complaint with your local data protection supervisory authority.
California residents: You may also contact the California Attorney General at oag.ca.gov/privacy.