Profiles.Link

Privacy Policy

Last updated 2026-05-29 17:29:14

Last updated: [1 January 2026]

This Privacy Policy explains how Arowana Scrinium LLC ("Profiles.Link", "we", "us", "our") collects, uses, stores, and shares your information when you use the website at https://profiles.link and any related services (collectively, the "Service").

By creating an account or using the Service, you agree to the practices described here. If you do not agree, please do not use the Service.

1. Who we are

The Service is operated by Arowana Scrinium Branding LLC, located at #B04, HDC Property, Dubai, UAE. For any privacy question, or to exercise your rights, contact us at privacy@arowanallc.com.

For the purposes of data-protection law (where applicable), we are the "data controller" of the personal data you provide to us.

2. Information we collect

2.1 Information you provide

  • Account details — your name, username, email address, and a password (which we store only as a salted bcrypt hash; we never store or can see your plaintext password).
  • Profile content — your bio, avatar and banner images, background images, chosen theme, links and "blocks" you add (URLs, headers, tip jars, digital products, embeds, countdowns), and any text or files you upload.
  • Verification requests — if you apply for a verified badge, the first name, last name, phone number, email, and any notes you submit for manual review.
  • Support content — messages you send through support tickets or the contact form, and your replies.
  • Wiki suggestions — any edits you propose to documentation articles.

2.2 Information collected automatically

  • Authentication & security logs — each sign-in (and failed sign-in) records your IP address, browser user-agent, and timestamp so you can review and revoke sessions and we can detect abuse.
  • Click & visit analytics — when someone clicks a link on a public profile we record the click with the visitor's IP address, user-agent, approximate country/region (derived from IP), device type (mobile / tablet / desktop), and timestamp. We also keep a real-time visitor counter.
  • Cookies & local storage — see section 7.

2.3 Payment & financial information

The Service uses a "stars" virtual currency. When you buy stars or make a payment we record the transaction (amount, currency, method, status, timestamps) and the resulting star ledger entries. We do not collect or store your full card number or banking credentials. Card and wallet details are handled directly by our payment processors (see section 6).

3. How we use your information

  • To create and operate your account and public profile.
  • To process payments, manage your stars balance, subscriptions, tips, purchases, transfers, and refunds.
  • To send transactional emails — sign-in alerts, password and email changes, two-factor changes, star transfers, purchases, subscription activation/expiry, account status changes, ticket replies, and similar notifications. A metadata-only log of these (subject, type, status, timestamp — never the body) is visible to you at /account/notifications.
  • To provide link-click and visitor analytics to profile owners.
  • To review verification requests and provide customer support.
  • To detect, prevent, and investigate fraud, abuse, and security incidents (including the banned-URL denylist and rate limiting).
  • To comply with legal obligations.

4. Legal bases for processing (where GDPR / UK-GDPR applies)

  • Contract — to provide the Service you signed up for.
  • Legitimate interests — to secure the Service, prevent abuse, and improve our product.
  • Consent — for any optional analytics you choose to enable on your own profile (see section 5), and where otherwise required.
  • Legal obligation — to keep financial records and respond to lawful requests.

5. Analytics you add to your own profile

If you have the relevant feature, you may inject your own Google Analytics and/or Meta (Facebook) Pixel IDs into your public profile. When you do this, you become responsible for the data those third-party tools collect from your visitors, and for disclosing it in your own privacy notice and obtaining any required consent. We simply render the IDs you provide.

6. When we share information

We do not sell your personal data. We share it only with:

  • Payment processors — to take payments and credit stars. Depending on the method you choose this may include Stripe, Skrill, or our offline/bank-transfer workflow. Their handling of your data is governed by their own privacy policies.
  • Email delivery providers — to send the transactional emails described above. Depending on our configuration this may be an SMTP server or an email API such as Resend, Mailgun, SendGrid, or Brevo.
  • Infrastructure & CDN providers — our hosting provider, and content-delivery networks used to load fonts, icons, and styling assets.
  • Your chosen integrations — if you configure outbound webhooks or issue API keys, data about the events you subscribe to is sent to the endpoints you specify.
  • Authorities — where required by law, court order, or to protect our rights, users, or the public.
  • Successors — in connection with a merger, acquisition, or sale of assets, subject to this Policy.

7. Cookies and local storage

We use a small number of strictly necessary and preference items:

  • Session cookie — keeps you signed in. Essential; the Service cannot work without it.
  • CSRF token — protects forms against cross-site request forgery. Essential.
  • Theme preference (pl_theme cookie + browser local storage) — remembers whether you chose light, dark, or auto mode.
  • Unlocked-profile markers — remember password-gated profiles you've unlocked during a session.

We do not use advertising or cross-site tracking cookies of our own. Any analytics cookies on a public profile come from IDs the profile owner added themselves (section 5).

8. Public information

Your profile is public by default: your username, display name, bio, avatar, banner, links, and verified status can be seen by anyone with the link, and may appear in the public discovery directory and in search engines unless you change your privacy settings. You control this at /profile/edit — you can set your profile to unlisted (no search / directory) or private (logged-in visitors only), toggle search-engine indexing, and remove yourself from the directory.

9. Data retention

We keep your account data for as long as your account is active. Click and visit analytics are retained to provide you with historical statistics. Financial and transaction records are retained as required for accounting and legal compliance, and may be anonymised rather than deleted when you close your account. Security logs are retained for a reasonable period to support abuse detection.

10. Your rights

Depending on where you live, you may have the right to access, correct, delete, restrict, or object to our processing of your personal data, and to data portability. The Service provides self-service tools for several of these:

  • Access / portability — export a full JSON copy of your data from your account settings.
  • Correction — edit your profile, and change your email or password at /account/security.
  • Erasure — permanently delete your account and linked data from your account settings (financial records may be retained in anonymised form as noted above).

To exercise any other right, email us at [privacy@your-domain.tld]. You also have the right to lodge a complaint with your local data-protection authority.

11. Security

We protect your data with measures including bcrypt password hashing, optional two-factor authentication, CSRF protection, prepared SQL statements, output escaping, server-side request-forgery guards on outbound requests, a content-security policy, rate limiting, and HTTPS in transit. No method of transmission or storage is perfectly secure, so we cannot guarantee absolute security.

12. Children

The Service is not directed to children under [13 / 16 — choose per your jurisdiction], and we do not knowingly collect their personal data. If you believe a child has provided us data, contact us and we will delete it.

13. International transfers

Your data may be processed in countries other than the one you live in, including by the third parties listed in section 6. Where required, we rely on appropriate safeguards (such as standard contractual clauses) for those transfers.

14. Changes to this Policy

We may update this Policy from time to time. When we make material changes we will update the "Last updated" date above and, where appropriate, notify you. Your continued use of the Service after a change means you accept the revised Policy.

15. Contact us

Questions about this Policy or your data? Email privacy@arowanallc.com or write to us at our registered address. You can also reach us through the contact form or, if you have an account, by opening a support ticket.