Privacy Policy
1. Controller
Scheffer Webdesign
Lützenrathstraße 10, 52353 Düren, Germany
Email:
This privacy policy explains which personal data we process when you use LinkLoot, for which purposes we process it and on which legal basis.
2. Hosting, security and logs
Our website is operated on servers of netcup GmbH in Germany. A data processing agreement pursuant to Art. 28 GDPR is in place.
Server log data such as IP address, timestamps, requested URL, referrer, browser type and operating system may be processed for stability, security and abuse prevention.
Legal basis: Art. 6 para. 1 lit. f GDPR.
3. Accounts, login and profile features
Registration and sign-in
For registration and sign-in we process, in particular, your email address, name, profile image, sign-in data, session data and security-related technical information. This may include the last successful sign-in with timestamp, sign-in method, shortened IP range, IP hash and a coarse device/browser description. We do not store precise location derived from the IP address. We use Auth.js / NextAuth as well as Google, Facebook or email service providers for magic links, depending on your chosen login method.
Profile, settings and uploads
If you edit your profile, we process profile details, interests, language settings, images and banners that you provide. Media may be transferred to Cloudinary via signed uploads.
Legal basis
Processing takes place for the performance of the user relationship under Art. 6 para. 1 lit. b GDPR and on the basis of legitimate interests in security and abuse prevention under Art. 6 para. 1 lit. f GDPR.
4. Community content and platform use
If you create content on LinkLoot, comment, vote, unlock content or participate in courses, we process the content, account and usage data required for these functions.
This includes posts, comments, votes, unlocks, course enrolments, progress data and platform-related activities. Legal basis: Art. 6 para. 1 lit. b GDPR.
5. Support, feedback, messages and notifications
If you use support tickets, feedback or direct messages, we process message contents, metadata, file attachments, timestamps and ticket- or conversation-related status information.
If you submit feedback without logging in and optionally request a reply by email, we additionally process your optional name, your email address, the email verification status and time-limited secure access links for the thread.
Support and notification features may also process technical information such as URL, user agent and read/status information.
Legal basis: Art. 6 para. 1 lit. b GDPR and, for security and abuse prevention, Art. 6 para. 1 lit. f GDPR.
6. Payments, Loot-Gems and accounting
When purchasing Loot-Gems, payment data is processed directly by Stripe. We generally do not receive full credit card details, but only the information necessary for payment execution, confirmation, fraud prevention and accounting documentation.
We also process internal transaction data, purchased packages, payment amounts, status information and mappings to your user account.
Legal basis: Art. 6 para. 1 lit. b GDPR; statutory retention obligations may additionally follow from Art. 6 para. 1 lit. c GDPR.
7. External services and recipients
OpenAI / OpenRouter
We use OpenAI or OpenRouter for selected AI features, especially optimisation of text inputs and automatic generation of short Loot descriptions. Only the text inputs necessary for the relevant feature are transferred.
Cloudinary
We use Cloudinary for storing and delivering uploaded media.
Email service providers
We use email service providers for system emails and magic-link sign-in emails, for example SMTP delivery or Resend.
Google / Facebook
When signing in via Google or Facebook, we receive the profile data necessary for authentication and account linking.
Social sharing links
Our sharing buttons for X, Facebook, WhatsApp and LinkedIn are implemented as simple links. No social media scripts are loaded and no data is transferred to these providers before you actively click a sharing link. After clicking, the respective provider opens and its privacy terms apply.
Stripe
Stripe processes payment and checkout data for purchases on our platform.
Cloudflare Turnstile
We use Cloudflare Turnstile to protect against bots and abuse. IP address and browser characteristics may be processed.
YouTube / DiceBear
Videos are embedded via youtube-nocookie.com. DiceBear avatars are fetched only through our server-side proxy.
Third-country transfers
Where data is transferred to providers outside the EU/EEA, this is done only on a lawful data protection basis, for example an adequacy decision or appropriate safeguards such as standard contractual clauses, where provided by the respective provider.
8. Cookies and local storage
We distinguish between technically required storage and optional storage. The affiliate cookie linkloot_ref is set only after explicit consent.
You can change or withdraw your choice at any time via Cookie settings in the footer. Optional cookies are deleted after withdrawal.
| Name | Type | Purpose | Retention | Legal basis |
|---|---|---|---|---|
authjs.* / next-auth.* | Cookie | Login, session, security | Session or until configured expiry | Art. 6 para. 1 lit. b, f GDPR |
linkloot_post_login | Cookie | Redirects to the requested page after login | Up to 10 minutes | Art. 6 para. 1 lit. b, f GDPR |
admin_session | Cookie | Secured admin access | Up to 24 hours | Art. 6 para. 1 lit. f GDPR |
cookie-consent | localStorage | Stores your cookie choice | Until changed or deleted | Art. 6 para. 1 lit. c, f GDPR |
linkloot_lang | Cookie / localStorage | Stores your language preference | Up to 12 months | Art. 6 para. 1 lit. b, f GDPR |
ll_dm_priv_* / ll_dm_pub_* | localStorage | Stores your local direct-message keys for end-to-end encrypted messages on your device | Until you clear browser data or remove the keys | Art. 6 para. 1 lit. b, f GDPR |
linkloot_ref | Cookie | Affiliate attribution after explicit consent | Up to 30 days | Art. 6 para. 1 lit. a GDPR |
9. Retention periods
We store personal data only as long as necessary for the relevant purposes or as required by statutory retention obligations.
Account data and profile settings are generally stored for the duration of the user relationship. API keys remain stored until revoked or deleted. Direct messages may be retained only for a limited period according to internal deletion routines. Payment and accounting-related data may be stored longer due to tax and commercial law requirements.
If you request deletion of your account, we delete or anonymise data within the limits of applicable law and statutory retention duties.
10. Your rights
- Access (Art. 15 GDPR): information about processed data.
- Rectification (Art. 16 GDPR): correction of inaccurate data.
- Erasure (Art. 17 GDPR): deletion of your data.
- Restriction (Art. 18 GDPR): restriction of processing.
- Data portability (Art. 20 GDPR): provision in a machine-readable format.
- Withdrawal (Art. 7(3) GDPR): withdrawal of consent with effect for the future.
- Objection (Art. 21 GDPR): objection to processing based on legitimate interests.
11. Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates the GDPR.