Effective 27 April, 2022
When you use Linktree, you and we both collect and use information about people (such as visitors to your profile and individuals who appear in your content). European laws have rules which protect that information (known as “EU Data Protection Laws”).
This Data Processing Addendum (“DPA”) applies to you when the use of your Linktree account is subject to the EU Data Protection Laws. It forms part of the Terms (but if there’s any conflict between this DPA and the Terms, this DPA will take precedence).
Your and our responsibilities under this DPA depend on our roles as either a “controller” or “processor” of personal data under EU Data Protection Laws (summarised in the table below).
When we talk about either of us acting as a “controller”, we mean us or you determining what personal data is for and how it’s used. When we talk about Linktree acting as a “processor”, we mean us handling or processing personal data on your behalf, as the “controller”.
|You||Generally, you act as a controller of personal data:
(together “Profile Data“).
|Linktree||Linktree may also act as a controller of Profile Data where:
● we scan profiles and links to decide whether to apply sensitive content warnings, block a domain, remove any content or suspend your profile (in line with our Community Standards);
● we analyse visitor’s interactions with profiles to: (i) deliver you hints and tips to optimise the performance of your profile; and (ii) recommend profiles to visitors who subscribe to Linktree users (“Subscribers”);
● we produce statistics about the operation of link-lock functionality, which you choose to apply and we use this info for our analytics purposes; and
● we use Linktree-controlled cookies to process personal data about Profile Visitors for analytics purposes (see our Cookie Notice),
collectively, the “Controller Services“.
|We also process Profile Data on your behalf when:
● we facilitate you to post content to your profile (either directly or via links to embedded content);
● we collect personal data generated when a person visits or interacts with your profile (e.g. by filling out a contact form or making payments to you); and
● we implement link-locking functionality to facilitate unlocking of restricted areas on your profile,
collectively the “Processor Services“, for the purpose of providing our service in accordance with the Terms (the “Permitted Purpose“).
Each of us has responsibilities in relation to the Controller Services, which are set out in the table below. To the extent that there are additional obligations under EU Data Protection Laws in respect of the Controller Services, they will remain with each of us and you individually.
|No.||Obligation under EU Data Protection Law||Linktree||You|
|A||A legal basis||We rely on our and our users’ legitimate interests to carry out the Controller Services.||You must identify a legal basis for the processing that you undertake, by letting us carry out the Controller Services.|
|B||Providing information to individuals (“Data Subjects”)||Our Privacy Notice sets out how we process personal data for the purposes of the Controller Services.||You must provide notice to Data Subjects about (i) your role in letting Linktree process their data to carry out the Controller Services; and (ii) any other processing that you undertake.|
|C||Complying with Data Subject rights requests||We are responsible for addressing Profile Visitors’ rights with respect to any personal data we store for carrying out the Controller Services.
When you tell us about a Profile Visitor who has exercised their rights against you, or any communication from a supervisory authority (each a “Request“), we will deal with the Request to the extent we are responsible for doing so under this DPA.
We will also provide you with any reasonable assistance that you request to enable you to meet your obligations under EU Data Protection Laws.
|You are responsible for addressing Data Subjects’ rights with respect to your role in letting us carry out the Controller Services.
Where you have received a Request, you are not allowed to answer on Linktree’s behalf. You will promptly share all relevant info with us (within a max. of 7 days) and provide any reasonable assistance that we request, to enable us to meet our obligations under EU Data Protection Laws.
|D||Securing Profile Data||We will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks presented by the Controller Services, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.||You will keep your password secure and ensure that you do not do anything that could compromise the security of the personal data processed as part of the Controller Services.|
|E||Notification of personal data breaches||We will be responsible for compliance with our obligations under EU Data Protection Laws in relation to the Controller Services.||You will be responsible for compliance with your obligations under EU Data Protection Laws in relation to the Controller Services.|
You will comply with your obligations when acting as a “controller” under applicable data protection laws in respect of Profile Data and Linktree will follow your instructions, and comply with its obligations under EU Data Protection Laws, when acting as a “processor” in relation to the Processor Services as follows:
We will both follow EU Data Protection Laws when transferring personal data to another country. You and we agree that when there is a transfer of personal data from the European Economic Area (EEA) or the United Kingdom (UK) from you to us, the Data Transfer Addendum (see below) forms part of, and is incorporated into, this DPA.
Words used but not defined in this DPA have the same meaning as in the Terms. Additionally, the following definitions apply:
This Data Transfer Addendum applies to you when the use of your Linktree account is subject to EU Data Protection Laws. It forms part of the DPA and the Terms (but if there is any conflict between this Data Transfer Addendum and the DPA or Terms, this Data Transfer Addendum will take precedence).
When the transfer of Profile Data from you to us is a Restricted Transfer:
This Data Transfer Addendum uses the same terms as in the Terms and DPA. Additionally, the following definitions apply:
|Data exporter||Data importer|
|Name, address and contact details||As specified in your Linktree account||Linktree Pty Ltd of 37 Islington Street, Collingwood, VIC 3066|
|Activities relevant to the data transferred under these SCCs||Sending personal data to Linktree in accordance with the Terms||Receiving and processing personal data from you in accordance with the Terms|
|Role||Controller||Controller for the Controller Services
Processor for the Processor Services
|Categories of Data Subjects whose personal data is transferred||Linktree users|
|Categories of personal data transferred||
|Sensitive data transferred||None|
|The frequency of the data transfer (e.g. on a one-off or continuous basis)||Continuous based on your use of our services|
|Nature of the processing||Linktree’s platform connects audiences to wherever you are online, and makes your content more discoverable and easier to manage|
|Purpose(s) of the data transfer and further processing||The provision of services under the Terms|
|The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period||The duration of the provision of services under the Terms or as required by applicable law|
|For transfers to Subprocessors, also specify the subject matter, nature and duration of the processing||Where we engage Subprocessors (also referred to as our “service providers” or “partners”), we will do so in compliance with the EU SCCs. The subject matter, nature and duration of the processing activities carried out by the Subprocessor will not exceed those carried out by us in accordance with this Annex.|
|Identify the competent supervisory authority in accordance with Clause 13||Determined in accordance with Clause 13 of the EU SCCs|