Data Processing Addendum

Effective 28 April, 2022 

 

1.           Protecting personal data

When you use Linktree, you and we both collect and use information about people (such as visitors to your profile and individuals who appear in your content). European laws have rules which protect that information (known as “EU Data Protection Laws”). 

This Data Processing Addendum (“DPA”) applies to you when the use of your Linktree account is subject to the EU Data Protection Laws. It forms part of the Terms (but if there’s any conflict between this DPA and the Terms, this DPA will take precedence).

 

2.           Responsibilities

Your and our responsibilities under this DPA depend on our roles as either a "controller" or "processor" of personal data under EU Data Protection Laws (summarised in the table below). 

When we talk about either of us acting as a "controller", we mean us or you determining what personal data is for and how it’s used. When we talk about Linktree acting as a "processor", we mean us handling or processing personal data on your behalf, as the “controller”.

  Controller Processor
You Generally, you act as a controller of personal data:
  • contained within any content that you post or generate on Linktree; and
  • relating to Profile Visitors,
(together "Profile Data").
N/A
Linktree Linktree may also act as a controller of Profile Data where:
  •   we scan profiles and links to decide whether to apply sensitive content warnings, block a domain, remove any content or suspend your profile (in line with our Community Standards);

  • we analyse visitor’s interactions with profiles to: (i) deliver you hints and tips to optimise the performance of your profile; and (ii) recommend profiles to visitors who subscribe to Linktree users (“Subscribers”);

  • we produce statistics about the operation of link-lock functionality, which you choose to apply and we use this info for our analytics purposes; and

  • we use Linktree-controlled cookies to process personal data about Profile Visitors for analytics purposes (see our Cookie Notice),
collectively, the "Controller Services".
We also process Profile Data on your behalf when:
  • we facilitate you to post content to your profile (either directly or via links to embedded content);

  • we collect personal data generated when a person visits or interacts with your profile (e.g. by filling out a contact form or making  payments to you); and

  • we implement link-locking functionality to facilitate unlocking of restricted areas on your profile,
collectively the "Processor Services", for the purpose of providing our service in accordance with the Terms(the "Permitted Purpose").

 

 

3.           Controller Services

Each of us has responsibilities in relation to the Controller Services, which are set out in the table below. To the extent that there are additional obligations under EU Data Protection Laws in respect of the Controller Services, they will remain with each of us and you individually.

No.

Obligation under EU Data Protection Law

Linktree

You

A

A legal basis

We rely on our and our users' legitimate interests to carry out the Controller Services.

You must identify a legal basis for the processing that you undertake, by letting us carry out the Controller Services.

B

Providing information to individuals (“Data Subjects”)

Our Privacy Notice sets out how we process personal data for the purposes of the Controller Services.

You must provide notice to Data Subjects about (i) your role in letting Linktree process their data to carry out the Controller Services; and (ii)  any other processing that you undertake.

C

Complying with Data Subject rights requests

We are responsible for addressing Profile Visitors’ rights with respect to any personal data we store for carrying out the Controller Services. 

When you tell us about a Profile Visitor who has exercised their rights against you, or any  communication from a supervisory authority (each a "Request"), we will deal with the Request to the extent we are responsible for doing so under this DPA. 

We will also provide you with any reasonable assistance that you request to enable you to meet your obligations under EU Data Protection Laws.

You are responsible for addressing Data Subjects’ rights with respect to your role in letting us carry out the Controller Services.

Where you have received a Request, you are not allowed to answer on Linktree’s behalf. You will promptly share all relevant info with us (within a max. of  7 days) and provide any reasonable assistance that we request, to enable us to meet our obligations under EU Data Protection Laws. 

D

Securing Profile Data 

We will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks presented by the Controller Services, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

You will keep your password secure and ensure that you do not do anything that could compromise the security of the personal data processed as part of the Controller Services.

E

Notification of personal data breaches

We will be responsible for compliance with our obligations under EU Data Protection Laws in relation to the Controller Services.

You will be responsible for compliance with your obligations under EU Data Protection Laws in relation to the Controller Services.

 

4.           Processor Services

You will comply with your obligations when acting as a “controller” under applicable data protection laws in respect of Profile Data and Linktree will follow your instructions, and comply with its obligations under EU Data Protection Laws, when acting as a “processor” in relation to the Processor Services as follows:

  • we will only process Profile Data in accordance with the Terms. If we become aware that processing for the Permitted Purpose infringes EU Data Protection Laws, we will let you know;
  • we will make sure that any person we authorise to process Profile Data will keep it confidential;
  • we will implement appropriate technical and organisational measures designed to protect Profile Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access; 
  • if we become aware of a confirmed personal data breach in respect of Profile Data, we will notify you without undue delay; 
  • you consent to us engaging third parties (“Subprocessors”) to process Profile  Data for the Permitted Purpose, provided that: (i) we maintain an up-to-date list of Subprocessors in our Privacy Notice, which we will update before we make any changes to Subprocessors; (ii) we will impose data protection terms on any Subprocessor as required to protect Profile Data to the standard set by EU Data Protection Laws; and (iii) we remain responsible for any breach of this DPA caused by any Subprocessor. You may object to a Subprocessor before we appoint or replace them, provided your objection is based on reasonable grounds relating to data protection. In that event, we will either not appoint or replace the Subprocessor or, if this is not possible, you may suspend or terminate your account (but you won’t receive a refund of any fees paid upfront);
  • taking into account the nature of the processing, we will provide all reasonable and timely assistance to you (at your expense) to enable you complete a legally required data protection impact assessment and to respond to: (i) any request from an individual to exercise its rights under EU Data Protection Laws; and (ii) any other enquiry or complaint received from an individual, regulator or third party in connection with processing Profile Data; 
  • upon cancellation of your  account, we will delete Profile Data in our possession or control for the purposes of the Processor Services (except to the extent we are required by applicable law to retain Profile Data); and
  • on request, we will provide copies of relevant security certifications or other documentation necessary to verify our compliance with this DPA in respect of the Processor Services. Such documents will be subject to the confidentiality provisions in the Terms.

 

5.           International data transfers

We will both follow EU Data Protection Laws when transferring personal data to another country. You and we agree that when there is a transfer of personal data from the European Economic Area (EEA) or the United Kingdom (UK) from you to us, the Data Transfer Addendum (see below) forms part of, and is incorporated into, this DPA.

 

6.           Definitions

Words used but not defined in this DPA have the same meaning as in the Terms. Additionally, the following definitions apply:

  • "EU Data Protection Laws" means (as applicable) Regulation (EU) 2016/679 ("EU GDPR"); or the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR").
  • "controller", "processor", "personal data" and "personal data breach" have the meanings set out in EU Data Protection Laws.

 

Data Transfer Addendum 

This Data Transfer Addendum applies to you when the use of your Linktree account is subject to EU Data Protection Laws. It forms part of the DPA and the Terms (but if there is any conflict between this Data Transfer Addendum and the DPA or Terms, this Data Transfer Addendum will take precedence).

 

1.           Appropriate safeguards

When the transfer of Profile Data from you to us is a Restricted Transfer:

(a) in respect of personal data protected by the EU GDPR, the Controller to Controller SCCs shall apply to the Controller Services and the Controller to Processor SCCs shall apply to the Processor Services; and

(b) in relation to personal data that is protected by the UK GDPR, the EU SCCs, completed as set out in (a) above shall apply, and the EU SCCs will be deemed amended as specified by Part 2 of the UK Addendum, which will be deemed entered into and incorporated into this Data Transfer Addendum by this reference.

2.           Definitions

This Data Transfer Addendum uses the same terms as in the Terms and DPA. Additionally, the following definitions apply:

  • "Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission (“EC”); and (ii) where the UK GDPR applies, a transfer of personal data from the UK to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018.
  • "Controller to Controller SCCs" means module one of the contractual clauses annexed to the EC's Implementing Decision 2021/914 of 4 June 2021 where: (i) for the purposes of Clause 17, Irish law will govern; (ii) in Clause 18(b), disputes will be resolved by the courts of Ireland; and (iii) Annex I shall be completed as set out in Clause 3 of this Data Transfer Addendum and Annex II shall be completed as set out in the Linktree Security Measures.
  • "Controller to Processor SCCs" means module two of the contractual clauses annexed to the EC's Implementing Decision 2021/914 of 4 June 2021 where: (i) in Clause 9, Option 1 will apply, and the time period for prior notice of Subprocessor changes shall be as set out in Clause 4 of the DPA; (ii) in Clause 17, Option 1 will apply, and Irish law will govern; (iii) in Clause 18(b), disputes shall be resolved before the courts of Ireland; and (iv) Annex I shall be completed as set out in Clause 3 of this Data Transfer Addendum and Annex II shall be completed as set out in the Linktree Security Measures.
  • "EU SCCs" means the Controller to Controller SCCs or the Controller to Processor SCCs, as applicable.
  • "UK Addendum" means the "International Data Transfer Addendum to the EU Commission Standard Contractual Clauses" issued by the Information Commissioner's Office under s.119A(1) of the UK Data Protection Act 2018. Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed with the relevant information from the EU SCCs, completed as set out in Clause 3 of this Data Transfer Addendum, and the option "Importer" shall be deemed checked in Table 4.

 

3.           Annex I to the SCCs 

A.   LIST OF PARTIES

 

Data exporter

Data importer

Name, address and contact details

As specified in your Linktree account 

Linktree Pty Ltd of 37 Islington Street, Collingwood, VIC 3066

Activities relevant to the data transferred under these SCCs

Sending personal data to Linktree in accordance with the Terms

Receiving and processing personal data from you in accordance with the Terms

Role

Controller

Controller for the Controller Services

Processor for the Processor Services

 

B.   DESCRIPTION OF TRANSFER

Categories of Data Subjects whose personal data is transferred

Linktree users

Categories of personal data transferred

  • Contact data: name, account(s) email address; user name (including URL)

  • PRO-user data: name; payment email address; billing address; payment method

  • Miscellaneous data: user marketing preferences; industry/vertical; password (held in hashed form)

  • Profile data: profile title; photo; bio; link names/descriptions; links to social media sites; embedded data or content within a Linktree profile (e.g. videos, donation links)

  • Device data: IP address; language used; browser type; time zone settings; time spent on webpages; unique device identifiers; other diagnostic data; application data

Sensitive data transferred 

None

The frequency of the data transfer (e.g. on a one-off or continuous basis)

Continuous based on your use of our services

Nature of the processing

Linktree's platform connects audiences to wherever you are online, and makes your content more discoverable and easier to manage

Purpose(s) of the data transfer and further processing

The provision of services under the Terms

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

The duration of the provision of services under the Terms or as required by applicable law

For transfers to Subprocessors, also specify the subject matter, nature and duration of the processing

Where we engage Subprocessors (also referred to as our “service providers” or “partners”), we will do so in compliance with the EU SCCs. The subject matter, nature and duration of the processing activities carried out by the Subprocessor will not exceed those carried out by us in accordance with this Annex. 

 

 

C.   COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority in accordance with Clause 13

Determined in accordance with Clause 13 of the EU SCCs