Security at linkboo — how we handle data, redirects, abuse, and PII

On this page

What we mean by security
Your data (creator data)
Your viewers' data
The redirect engine
Abuse detection
PII and the things we minimize
What we don't do
Compliance posture
Reporting a vulnerability
If something here is missing for you

What we mean by security

Most "security" pages on SaaS sites are reassurance documents. This one is meant to be specific. It explains what linkboo does with your data, what it does with your viewers' data, how the redirect engine actually works in production, how abuse is detected, and the things we explicitly refuse to do regardless of who asks.

If something here doesn't match what you need, we'd rather you find out now than mid-onboarding.

Your data (creator data)

What we store. Account email, hashed password (bcrypt with per-account salt), pages you've built, links inside those pages, custom domains, billing info (handled by Stripe; we never store card numbers), and analytics data.

Where it lives. Primary database on AWS RDS (Postgres) in us-east-1 by default. EU customers' data is replicated and primarily served from eu-west-1 to satisfy GDPR data-residency expectations. Backups encrypted at rest with AES-256, retained 30 days. Logs encrypted at rest.

Who can access it. A short list of named engineers, with access auditable and rotated quarterly. No third-party support contractor has database read access. Customer support reps see only the data scoped to a specific support ticket.

Two-factor authentication. Available on all plans. Required on Agency.

How to delete it. Account deletion in Settings → Account → Delete account. Soft-delete (recoverable for 30 days), then hard-delete (irrecoverable). On hard-delete, identifying data is purged from active systems and from the 30-day backup rotation on the next rotation cycle. Tell us if you need faster purge for regulatory reasons.

Your viewers' data

What we store about viewers. Per-click: a hashed IP (truncated and salted, not reversible), user agent (truncated to platform/browser identification), referrer header (truncated), timestamp, the link that was tapped, and the destination it routed to. No exact IP, no device ID, no cross-domain fingerprint.

What we don't store. We don't run a third-party tracker on your viewers. We don't sell click data, ever. We don't share click data with platforms, ad networks, or data brokers. The click data on your dashboard is yours.

Cookies on viewer-side. linkboo's redirect page sets at most one short-lived (15-minute) session cookie on its own domain, used only to detect rapid duplicate clicks for abuse-rate-limiting. It does not survive the redirect, does not track viewers across sessions, and is not used for analytics. Your destination's cookies are between you and your destination.

Viewer DSAR / GDPR requests. Because viewer data is hashed and truncated, we typically cannot link a request to specific records. We will confirm this in writing and delete any records we can identify on request.

The redirect engine

How a tap actually flows. A viewer taps a linkboo link from (e.g.) TikTok. The request hits our edge — Cloudflare Workers globally distributed — which:

Validates the link exists and isn't archived or expired (≤2ms).
Resolves the destination URL (≤2ms).
Detects whether the request is coming from an in-app webview (≤1ms).
Returns either a 302 (real browsers) or a small handoff page (in-app webviews). The handoff page is signed and cached at the edge to prevent tampering.
The handoff transfers the viewer to their device's real browser — the in-app webview closes, the destination reopens in Safari or Chrome, and the viewer's real cookies (and logged-in session) come with them. On the rare device where the automatic handoff can't fire, linkboo shows a clean one-tap escape.
A click record is written to a queue (eventually consistent into the analytics store).

Median end-to-end latency: 18ms global. p99 latency: 95ms.

The escape flow's safety properties. The escape flow only routes to the destination URL configured by the creator. It does not allow viewer-supplied URLs. It does not interpolate query parameters into the destination beyond preserving the original UTM string. It cannot be coerced into routing to an arbitrary URL by manipulation of the linkboo page URL.

TLS. Every link, every redirect, every page served over TLS 1.2 minimum, TLS 1.3 preferred. HSTS enabled on link.boo and all customer custom domains. Custom domain certs auto-provisioned via Let's Encrypt.

Abuse detection

Inbound abuse (people abusing linkboo). Every link is scanned at creation and periodically thereafter against a blocklist of known phishing/malware destinations. Links to known-bad destinations are blocked at creation. Pre-existing links that later route to flagged destinations are paused with notification to the account owner. We participate in standard browser-safety feeds.

Rate-limiting. Per-account creation rate-limits are in place (10 links/minute, 1,000/day for Free; higher for Pro/Agency). API requests rate-limited per token. Suspicious creation patterns (high-volume link creation with unconfigured destinations, signups from disposable email domains, signups followed by immediate phishing-pattern link creation) trigger an account review.

Outbound abuse (people targeting linkboo). WAF rules at the edge, DDoS mitigation via Cloudflare, automated traffic-pattern monitoring with paging at p95 latency deviation. Account-level brute-force protection on the login endpoint.

PII and the things we minimize

We try to handle as little PII as possible:

No name or address field on signup. Email and password are enough.
No phone number required at any tier.
No identity verification for creators. (Some destinations may require this on their end — that's separate from linkboo.)
Hashed IPs for viewer analytics. We never see the real IP after first-touch processing at the edge.
No third-party trackers on linkboo.com or my.linkboo.com. No GA, no Mixpanel, no Segment, no Hotjar on the product surface. Marketing-site pages may carry analytics; that's disclosed in our cookie banner.

What we don't do

We don't sell data. Not to anyone, not under any tier, not as part of any acquisition discussion.
We don't fingerprint viewers. No browser-fingerprint, no canvas-fingerprint, no font-list extraction.
We don't run cross-domain tracking. linkboo cannot tell that a viewer who tapped a creator's bio link is the same viewer who tapped a different creator's bio link three minutes later. We have no incentive to know.
We don't read your destination URLs' content. linkboo redirects to your destination. We do not crawl it, scrape it, or analyze it (beyond domain-reputation lookups at link-creation time).
We don't share data with platforms. TikTok, Instagram, Meta — none of them get data from linkboo.

Compliance posture

GDPR. Compliant. DPA available on request from any plan.
CCPA. Compliant. Consumer rights forms processable via the data-deletion flow.
SOC 2 Type II. In progress. Targeted audit completion 2027. Internal controls in place; formal report not yet available.
HIPAA. linkboo is not a HIPAA-covered service. Do not put PHI in link metadata or page copy. (Compounded med and hormone clinics: this affects your acceptable use posture — see acceptable use.)
PCI. Card processing handled by Stripe; linkboo's environment is SAQ-A scope.

Reporting a vulnerability

Found a bug, an exploit, or a data exposure? Email security@link.boo with details. PGP key on the same page. We commit to:

Acknowledging within 48 business hours.
A status update every 5 business days until resolution.
No legal action against good-faith researchers operating within standard responsible-disclosure norms.
A bug bounty for verified issues (range: $250–$10,000 depending on severity).

If something here is missing for you

Procurement-shaped questions (DPA, MSA, SIG-Lite, vendor risk assessments) — we have the paperwork ready. Email security@link.boo or sales@link.boo depending on whether the contact is technical or commercial.

Start free →