Privacy Policy
Last updated: 19 May 2026
This Privacy Policy explains what personal data Incy Links ("the Service", operated by Stacksy Pty Ltd) collects, why, and what we do with it. It applies to people who sign up for and use the Service.
1. What we collect
Account information
- Your name, work email address, and a hashed password
- Your organisation name, optional subdomain, and chosen plan
- Billing details (handled by Stripe — see below)
Usage data
- The short links you create, including destination URLs, slugs, tags, and any UTM parameters or expiry settings you set
- Click records: timestamp, IP address (truncated for country lookup), referrer, user agent, country
- API keys (only the SHA-256 hash is stored, plus a non-secret prefix shown in your dashboard)
- Server logs of admin/API requests (standard nginx access + error logs, retained 30 days)
2. Why we collect it
To provide the Service: redirect short links, track clicks for your analytics, manage your team, bill your subscription, send transactional emails (receipts, password resets, important account notices), and help you when you contact support.
We don't use your data for advertising. We don't sell it.
3. Who we share it with
We use a small number of third-party services to operate Incy Links:
| Stripe | Payment processing. They receive your name, email, and card details (we never store cards). Stripe's privacy policy: stripe.com/privacy |
| Let's Encrypt | Free SSL certificates for custom domains. They receive your domain hostname only. |
| ipapi.co | IP-to-country lookups for click analytics. Only the IP address is sent — no other personal data. |
| Hostinger | The Service is hosted on a Hostinger VPS in their data centre. Standard infrastructure access only. |
Beyond these, we share data only when required by law (e.g. a valid court order).
4. Where data is stored
The Service runs on a Hostinger VPS. Our application database is stored on the same server. Backups are taken regularly and retained for 30 days.
Stripe data is held in Stripe's infrastructure (US/EU). Let's Encrypt records are public (issued certs are logged to public Certificate Transparency logs).
5. How long we keep it
- Click history: per your plan — 30 days on Lite, 1 year on Pro, unlimited on Enterprise. Older records are deleted automatically.
- Account + link data: kept while your account is active. Deleted within 30 days of account closure, unless we have a legal obligation to retain it longer.
- Server logs: 30 days.
- Stripe billing records: retained per Stripe's policies and Australian tax law (typically 7 years).
6. Cookies
We use one cookie: incy_sess (or stksy_sess for legacy installs) — a session cookie that keeps you signed in. Marked HttpOnly, Secure, SameSite=Lax. No tracking pixels, no third-party analytics cookies.
7. Your rights
Under the Australian Privacy Act and (where applicable) the GDPR, you have the right to:
- Access the personal data we hold about you
- Correct anything inaccurate (most of this is editable in your profile/dashboard; for the rest, email us)
- Request deletion of your account and data
- Export your data (CSV link export is built in; for the full account, email us)
- Lodge a complaint with the Office of the Australian Information Commissioner (oaic.gov.au) if you believe we've mishandled your data
8. Children
Incy Links is intended for use by people aged 18 and above (or the age of majority in your jurisdiction). We do not knowingly collect data from children.
9. Changes to this policy
We may update this policy from time to time. Material changes will be notified by email or via a banner on the dashboard at least 14 days before they take effect.
10. Contact
Privacy questions, access requests, deletion requests: kristen@stacksy.com.au.