Steezrsteezr link

/privacy

Privacy Policy

Last updated: April 6, 2026

1. Who We Are (Data Controller)

Steezr Link ("Steezr", "we", "us", or "our") is a link-in-bio platform operated by steezr s.r.o., IČO: 22354883, with registered seat in the Czech Republic. We are the data controller responsible for your personal data under the EU General Data Protection Regulation (GDPR) and applicable Czech data protection law. This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our website at steezr.com, steezr.link, and all related services (collectively, the "Service").

2. Data We Collect

2.1 Account Information

When you register, we collect your email address, display name, and username. We use passwordless authentication (magic links sent via email), so we never store passwords. Magic link tokens are single-use, expire after 15 minutes, and are purged from our systems after expiry.

2.2 Profile Content

Any content you add to your Steezr Link page — including links, bios, avatar images, header images, section headers, embedded media, uploaded files, and documents — is stored on our servers and displayed publicly on your profile page. This content is visible to anyone with your profile URL.

2.3 Analytics & Visitor Data

When someone visits a Steezr Link page, we collect anonymised analytics data including: referrer URL, user agent string, approximate country and city (derived from IP address via geo-lookup), device type, and detected visitor intent category (fan, brand/industry, or buyer — inferred from referrer). We do not permanently store raw IP addresses of page visitors. IP addresses are used transiently for geo-lookup and rate limiting, then discarded.

2.4 AI Clone Data

If you enable the AI Clone feature, the following data is processed:

  • Creator-provided content — System prompts and content chunks you upload are stored in our database and sent to our AI provider (Anthropic) in real time when a visitor initiates a chat session.
  • Visitor chat messages — Messages typed by visitors are sent to Anthropic for processing in real time to generate a response. We do not store visitor chat messages in our database. Chat conversations are ephemeral and exist only for the duration of the browser session.
  • Rate-limiting data — We use visitors' IP addresses in-memory for rate limiting (max 20 requests per 60 seconds). This data is held only in server memory and is never written to disk or a database.
  • Input sanitization — All user input (chat messages, system prompts, content chunks) is automatically sanitized to remove HTML, scripts, control characters, and known prompt-injection patterns before processing.

Anthropic acts as a data processor on our behalf under a Data Processing Addendum (DPA) that includes EU Standard Contractual Clauses. Anthropic does not use data submitted through their API to train their models. See Anthropic's Privacy Policy and Anthropic's Data Processor documentation.

2.5 Connected Platforms

If you connect third-party platforms (e.g., YouTube, Shopify) for auto-sync, we store OAuth tokens required to fetch your content. These tokens are encrypted at rest and are never shared with third parties.

2.6 Payment Data

Payments are processed by Stripe. We store your Stripe customer ID and subscription status, but never your credit card number, CVC, or full payment details. See Stripe's Privacy Policy.

3. How We Use Your Data

  • To provide, maintain, and improve the Service
  • To authenticate you via magic link emails
  • To display your public profile page to visitors
  • To generate aggregated analytics (page views, clicks, audience breakdown)
  • To classify and route visitors by detected intent (audience targeting — see Section 8)
  • To power AI-generated themes and AI Clone chatbot responses
  • To sanitize and moderate user input for safety and abuse prevention
  • To enforce rate limits and prevent abuse of the Service
  • To process payments and manage subscriptions via Stripe
  • To send transactional emails (magic links, account notifications, service announcements)
  • To detect and prevent fraud, spam, abuse, and security incidents
  • To comply with legal obligations and respond to lawful requests

4. Legal Basis for Processing (GDPR Article 6)

We process your personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b)) — processing necessary to provide the Service you signed up for, including hosting your profile, processing payments, and generating AI Clone responses from content you supply
  • Legitimate interest (Art. 6(1)(f)) — analytics, fraud prevention, rate limiting, input sanitization, service improvement, and security monitoring. We have balanced these interests against your rights and determined that processing is proportionate and expected by users.
  • Consent (Art. 6(1)(a)) — where you explicitly opt in, such as connecting third-party platforms or enabling the AI Clone feature
  • Legal obligation (Art. 6(1)(c)) — where required by law, such as maintaining tax records for paid subscriptions or responding to lawful court orders

5. Data Sharing & Sub-processors

We share data only with the following categories of processors. All processors are bound by data processing agreements that comply with GDPR requirements:

  • Infrastructure & storage — Hetzner Online GmbH (hosting, object storage — Falkenstein, Germany, EU)
  • Email delivery — Amazon Web Services / Amazon SES (transactional emails — EU region)
  • Payments — Stripe, Inc. (payment processing — US, with EU SCCs)
  • AI processing — Anthropic PBC (AI Clone and theme generation — US, with DPA and EU SCCs). Anthropic acts as a data processor and does not use API data for model training.
  • Error monitoring — Functional Software, Inc. / Sentry (error tracking — US, with DPA and EU SCCs)

We do not sell your personal data. We do not share it with advertisers, data brokers, or any third party for marketing purposes. We will not disclose your data to any party except as described above, unless required by law or a valid court order.

6. Data Retention

  • Account data — retained for as long as your account is active. If you delete your account, all personal data (profile, links, analytics, files, AI content chunks, connected platform tokens) is permanently deleted within 30 days after the grace period.
  • Analytics data — retained for 30 days (free accounts) or 365 days (Pro accounts). Anonymised, aggregated analytics may be retained indefinitely for service improvement.
  • AI Clone chat messages — not stored. Visitor chat conversations are processed in real time and discarded when the browser session ends.
  • Rate-limiting data — held only in server memory. Automatically purged every 5 minutes.
  • Magic link tokens — expire after 15 minutes and are purged from the database on a regular schedule.
  • Payment records — Stripe transaction IDs and subscription status are retained for as long as required for tax and accounting obligations (typically 10 years under Czech law).
  • Terminated accounts — if your account is terminated by us for policy violation, all account data is permanently deleted within 30 days of termination.

7. Your Rights (GDPR Articles 15–22)

Under the GDPR and applicable data protection legislation, you have the right to:

  • Access (Art. 15) — request a copy of the personal data we hold about you
  • Rectification (Art. 16) — correct inaccurate data via your dashboard or by contacting us
  • Erasure (Art. 17) — delete your account and all associated personal data
  • Portability (Art. 20) — export your data in a structured, machine-readable format (JSON export available in Account Settings)
  • Restriction (Art. 18) — request that we limit how we process your data
  • Objection (Art. 21) — object to processing based on legitimate interest
  • Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days as required by law. If we need additional time, we will notify you of the extension and the reason. There is no fee for exercising your rights, unless requests are manifestly unfounded or excessive.

8. Automated Decision-Making & Profiling

The Service uses the following automated processing that may affect your experience:

  • Audience routing — When a visitor arrives at a creator's page, we automatically classify them into an intent category (fan, brand/industry, buyer) based on their referrer URL. This classification determines which links are displayed. This is automated profiling under GDPR Article 22, but it does not produce legal effects or similarly significant effects on visitors — it only controls which links are shown on a single page.
  • AI Clone responses — Responses are generated in real time by a third-party AI model (Anthropic Claude) based on creator-supplied content. No human reviews AI responses before they are shown. Visitors are clearly informed that they are interacting with an AI system (see Section 9).
  • Input sanitization — All user-submitted text is automatically scanned and sanitised to remove potentially harmful content (HTML, scripts, control characters, known prompt-injection patterns). This is a security measure that does not constitute profiling.
  • Rate limiting — IP-based rate limiting is applied to the AI Clone chat endpoint. This is a security measure to prevent abuse and does not constitute profiling.

You have the right to request human review of any automated decision that significantly affects you. Contact us at [email protected].

9. AI Transparency (EU AI Act, Article 50)

In accordance with the EU AI Act, we provide the following transparency disclosures:

  • The AI Clone is an AI chatbot, not a human. Visitors are informed at the start of every interaction via a visible disclaimer: "AI-generated responses · May be inaccurate · Not the real person."
  • The AI Clone's responses are generated by Anthropic Claude, a large language model. Responses may be inaccurate, outdated, or incomplete.
  • The AI Clone is designed to only answer questions about the specific creator and will refuse general-knowledge questions, harmful requests, and attempts to override its instructions.
  • AI-generated theme suggestions are produced by the same AI model and are presented as suggestions for the creator to review and accept or reject.
  • No AI-generated content on the Service is presented as human-created. All AI outputs are clearly labelled or contextually identifiable as AI-generated.

10. Cookies

We use a single httpOnly, Secure, SameSite=Lax session cookie (steezr_session) for authentication. This cookie is strictly necessary for the Service to function and does not track you across websites. It expires after 8 hours of inactivity. We do not use advertising cookies, third-party tracking cookies, or analytics cookies. No cookie consent banner is required because we only use strictly necessary cookies.

11. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encrypted connections (TLS/HTTPS) for all data in transit
  • httpOnly, Secure cookies to prevent client-side access
  • Encrypted storage for OAuth tokens and sensitive credentials
  • Parameterised database queries to prevent SQL injection
  • Input sanitisation to prevent XSS, script injection, and prompt injection
  • IP-based rate limiting on public-facing AI endpoints
  • Mandatory AI safety guardrails that cannot be overridden by users
  • Regular dependency updates and security reviews

While no system is 100% secure, we follow industry best practices and continuously work to protect your information. If you discover a security vulnerability, please report it responsibly to [email protected].

12. International Transfers

Your data is primarily stored and processed in the European Union(Hetzner, Falkenstein, Germany). Where data is transferred outside the EU/EEA — specifically to Anthropic (US), Stripe (US), Amazon SES (US), and Sentry (US) — we ensure adequate safeguards are in place through the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, supplementary technical measures such as encryption in transit and at rest.

13. Children's Privacy

The Service is not intended for children under 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, contact us at [email protected] and we will promptly delete it.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email at least 30 days before they take effect. The "Last updated" date at the top of this page indicates when it was last revised. Continued use of the Service after the updated policy takes effect constitutes acceptance.

15. Supervisory Authority

If you are in the EU/EEA and believe we are processing your personal data in violation of the GDPR, you have the right to lodge a complaint with your local data protection supervisory authority. Our lead supervisory authority is the Office for Personal Data Protection of the Czech Republic (Úřad pro ochranu osobních údajů, ÚOOÚ).

16. Contact

If you have questions about this Privacy Policy, our data practices, or wish to exercise your rights, contact us at:

[email protected]

steezr s.r.o. · IČO: 22354883 · Czech Republic

← Back to home