Privacy Policy
1. Controller
Scheffer Webdesign
Lützenrathstraße 10, 52353 Düren, Germany
Email:
This privacy policy explains which personal data we process when you use LinkLoot, for which purposes we process it and on which legal basis.
2. Hosting, security and logs
Our website is operated on servers of netcup GmbH in Germany. A data processing agreement pursuant to Art. 28 GDPR is in place.
Server log data such as IP address, timestamps, requested URL, referrer, browser type and operating system may be processed for stability, security and abuse prevention.
Legal basis: Art. 6 para. 1 lit. f GDPR.
3. Accounts, login and profile features
Registration and sign-in
For registration and sign-in we process, in particular, your email address, name, profile image, sign-in data, session data and security-related technical information. This may include the last successful sign-in with timestamp, sign-in method, shortened IP range, IP hash and a coarse device/browser description. We do not store precise location derived from the IP address. We use Auth.js / NextAuth as well as Google, Facebook or email service providers for magic links, depending on your chosen login method.
Profile, settings and uploads
If you edit your profile, we process profile details, interests, language settings, images and banners that you provide. Media may be transferred to Cloudinary via signed uploads.
Legal basis
Processing takes place for the performance of the user relationship under Art. 6 para. 1 lit. b GDPR and on the basis of legitimate interests in security and abuse prevention under Art. 6 para. 1 lit. f GDPR.
4. Community content and platform use
If you create content on LinkLoot, comment, vote, unlock content or participate in courses, we process the content, account and usage data required for these functions.
For signed-in users, we also store which feed items were visible so already seen content can be temporarily ranked lower and placed appropriately again when new activity makes it relevant.
This includes posts, comments, votes, unlocks, course enrolments, progress data, feed impressions and platform-related activities. Legal basis: Art. 6 para. 1 lit. b GDPR.
5. Support, feedback, messages and notifications
If you use support tickets, feedback or direct messages, we process message contents, metadata, file attachments, timestamps and ticket- or conversation-related status information.
If you submit feedback without logging in and optionally request a reply by email, we additionally process your optional name, your email address, the email verification status and time-limited secure access links for the thread.
Support and notification features may also process technical information such as URL, user agent and read/status information.
Direct messages are transmitted with end-to-end encryption; LinkLoot stores only the encrypted content and metadata required for delivery. Support attachments are stored via Cloudinary and are removed during automatic ticket deletion or manual ticket deletion where the service confirms deletion.
Legal basis: Art. 6 para. 1 lit. b GDPR and, for security and abuse prevention, Art. 6 para. 1 lit. f GDPR.
6. Payments, Loot-Gems and accounting
When purchasing Loot-Gems, payment data is processed directly by Stripe. We generally do not receive full credit card details, but only the information necessary for payment execution, confirmation, fraud prevention and accounting documentation.
We also process internal transaction data, purchased packages, payment amounts, status information and mappings to your user account.
When you unlock an official LinkLoot Tool with Gems, we store the mapping to your account, the tool slug, the Gem amount, and transaction data. For local kit tools, LinkLoot does not process credentials, device identifiers, or working files unless the relevant tool clearly states otherwise.
For local browser tools such as Image Compressor and PDF Editor, the links, image files, and PDF contents remain in the browser. For rate limits and Gem billing, our server only receives usage metadata such as tool slug, action, account- or IP-based limit key, timestamps, remaining free uses, and where applicable Gem transactions. The concrete URLs, images, and PDF files are not transferred to LinkLoot, Cloudinary, OpenAI, or OpenRouter.
Legal basis: Art. 6 para. 1 lit. b GDPR; statutory retention obligations may additionally follow from Art. 6 para. 1 lit. c GDPR.
7. External services and recipients
OpenAI / OpenRouter
We use OpenAI or OpenRouter for selected AI features, especially optimisation of text inputs and automatic generation of short Loot descriptions. Only the text inputs necessary for the relevant feature are transferred.
Cloudinary
We use Cloudinary for storing and delivering uploaded media.
Email service providers
We use email service providers for system emails and magic-link sign-in emails, for example SMTP delivery or Resend.
Google / Facebook
When signing in via Google or Facebook, we receive the profile data necessary for authentication and account linking.
Social sharing links
Our sharing buttons for X, Facebook, WhatsApp and LinkedIn are implemented as simple links. No social media scripts are loaded and no data is transferred to these providers before you actively click a sharing link. After clicking, the respective provider opens and its privacy terms apply.
Stripe
Stripe processes payment and checkout data for purchases on our platform.
Cloudflare Turnstile
We use Cloudflare Turnstile to protect against bots and abuse. IP address and browser characteristics may be processed.
YouTube / DiceBear
Videos are embedded via youtube-nocookie.com. DiceBear avatars are fetched only through our server-side proxy.
Third-country transfers
Where data is transferred to providers outside the EU/EEA, this is done only on a lawful data protection basis, for example an adequacy decision or appropriate safeguards such as standard contractual clauses, where provided by the respective provider.
8. Cookies and local storage
We distinguish between technically required storage and optional storage. Technically required storage is used where it is necessary for login, security, language preferences, or features you request. The legal basis for storing or accessing information on your device is Sec. 25(2) no. 2 TDDDG; subsequent data processing follows the GDPR legal bases listed below.
The affiliate cookie linkloot_ref is set only after explicit consent under Sec. 25(1) TDDDG and Art. 6 para. 1 lit. a GDPR.
You can change or withdraw your choice at any time via Cookie settings in the footer. Optional cookies are deleted after withdrawal.
| Name | Type | Purpose | Retention | Legal basis |
|---|---|---|---|---|
authjs.* / next-auth.* | Cookie | Login, session, security | Session or until configured expiry | Art. 6 para. 1 lit. b, f GDPR |
linkloot_post_login | Cookie | Redirects to the requested page after login | Up to 10 minutes | Art. 6 para. 1 lit. b, f GDPR |
admin_session | Cookie | Secured admin access | Up to 24 hours | Art. 6 para. 1 lit. f GDPR |
cookie-consent | localStorage | Stores your cookie choice | Until changed or deleted | Art. 6 para. 1 lit. c, f GDPR |
linkloot_optional_consent | Cookie | Server-side proof of your consent for optional affiliate storage | Up to 12 months or until withdrawal | Art. 6 para. 1 lit. a GDPR |
linkloot_lang | Cookie / localStorage | Stores your language preference | Up to 12 months | Art. 6 para. 1 lit. b, f GDPR |
linkloot-first-run-wizard-* / home-feed-intro-* | localStorage | Locally remembers whether you dismissed or collapsed onboarding and feed hints | Until you clear browser data or reset the setting | Art. 6 para. 1 lit. b, f GDPR |
linkloot_*_csrf | Cookie | Protects contact, feedback, and guest form features against abuse | Up to 1 hour | Art. 6 para. 1 lit. f GDPR |
linkloot-submit-current-draft | localStorage | Stores your current loot draft locally when you enter content in the submit form | Until you overwrite the draft or clear browser data | Art. 6 para. 1 lit. b, f GDPR |
linkloot-agent:* / linkloot-agent-submit-prefill | localStorage | Stores local agent chat snippets and requested submit prefill data for signed-in users | Until you start a new chat or clear browser data | Art. 6 para. 1 lit. b, f GDPR |
linkloot_guest_portal | Cookie | Time-limited access to your guest feedback thread after email-link verification | Up to 7 days | Art. 6 para. 1 lit. b, f GDPR |
ll_dm_priv_* / ll_dm_pub_* | localStorage | Stores your local direct-message keys for end-to-end encrypted messages on your device | Until you clear browser data or remove the keys | Art. 6 para. 1 lit. b, f GDPR |
linkloot_ref | Cookie | Affiliate attribution after explicit consent | Up to 30 days | Art. 6 para. 1 lit. a GDPR |
9. Retention periods
We store personal data only as long as necessary for the relevant purposes or as required by statutory retention obligations.
Account data and profile settings are generally stored for the duration of the user relationship. API keys remain stored until revoked or deleted. Feed impressions are used only for recent personalization and are regularly deleted once they are older than about six months. Direct messages are automatically deleted after 90 days. Closed or completed support tickets are generally deleted three years after the last update, including the related Cloudinary attachments. Payment and accounting-related data may be stored longer due to tax and commercial law requirements.
If you request deletion of your account, we delete or anonymise data within the limits of applicable law and statutory retention duties.
10. Your rights
- Access (Art. 15 GDPR): information about processed data.
- Rectification (Art. 16 GDPR): correction of inaccurate data.
- Erasure (Art. 17 GDPR): deletion of your data.
- Restriction (Art. 18 GDPR): restriction of processing.
- Data portability (Art. 20 GDPR): provision in a machine-readable format.
- Withdrawal (Art. 7(3) GDPR): withdrawal of consent with effect for the future.
- Objection (Art. 21 GDPR): objection to processing based on legitimate interests.
11. Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates the GDPR.