Privacy Policy

Prolinq ("we", "us", "our") operates the Prolinq mobile app and the prolinq.me website (together, the "Service"). We are incorporated in India; our Grievance Officer can be reached at admin@prolinq.me.

This policy explains what personal data we collect when you use Prolinq, why we collect it, and what rights you have under the Digital Personal Data Protection Act 2023 (India), the General Data Protection Regulation (European Union), and the California Consumer Privacy Act / California Privacy Rights Act (United States).

Identity: first name, last name, company, designation, profession, tagline / "about" text, profile photo, company logo, date of birth (optional).

Contact: phone number(s) with country code, email address(es), postal address(es), social media profile URLs, website URLs.

Card preferences: your chosen card layout (1 of 12), background colour, accent colour, badges, card label, discoverability flag.

Connections: people you connect with, pending requests you send or receive, notes you record against your contacts, meeting notes and voice recordings you attach to contacts.

Analytics: views / shares / saves of your shared card, timestamps, approximate device type and OS version. This is opt-out in the Privacy settings.

Device: push notification token (only if you enable notifications), locale, approximate location (only if you tap "Use current location" in the Card Editor).

We do NOT collect: your device contacts without an explicit per-session permission, your precise GPS location unless you tap "Use current location", your payment data (we do not process payments), or any data classified as "sensitive personal data" under DPDPA Sec 2(t) such as biometric, health, or caste information.

Contract necessity: to render your digital card and enable sharing.

Consent: for discoverability in the Global Network, for push notifications, for optional analytics.

Legitimate interest: for fraud prevention, service-quality monitoring, and aggregated product analytics that do not identify you.

Legal obligation: if a court order or competent authority demands specific data under DPDPA / GDPR.

Prolinq currently runs on a single Supabase (PostgreSQL) instance hosted in the United States (us-east-1). If you are an EU or Indian user, your data is therefore transferred cross-border. We rely on Standard Contractual Clauses (GDPR) and explicit consent (DPDPA Sec 16) as the transfer mechanism.

If cross-border transfer is unacceptable for you, please delete your account before continuing to use the Service.

We do not sell your personal data to third parties.

Third-party processors we rely on:

• Supabase — database, auth, storage (our core backend).
• Vercel — hosting the prolinq.me website.
• Expo / EAS — mobile build + push notification delivery.
• Sentry (if enabled) — crash reporting. No identifying fields are sent; only stack traces.

These processors are bound by Data Processing Agreements that restrict them from using your data for their own purposes.

Regardless of jurisdiction, you can exercise the following from inside the Prolinq app (Settings → Privacy), or by emailing admin@prolinq.me:

• Access — download a JSON archive of everything we hold about you.
• Correct — edit any field at any time in the Card Editor.
• Delete — tap "Delete my account" for a hard delete of all your data and your auth record. Completed within 30 days.
• Withdraw consent — toggle off analytics / marketing / discoverability.
• Opt out of sale / sharing — California residents: tap "Do Not Sell My Info" (cosmetic; we do not sell).
• Lodge a complaint — with your local Data Protection Authority, or with our Grievance Officer (India) at admin@prolinq.me. India users can escalate to the Data Protection Board of India if unresolved within 7 days.

As long as your account is active, plus 30 days after deletion (for legal audit). Backup snapshots are purged within 90 days. Anonymised aggregate analytics may be retained indefinitely.

Prolinq is intended for users 18 and over. We do not knowingly collect data from persons under 18 (DPDPA Sec 9) / under 16 (GDPR Art 8 default) without verified parental consent. If you believe a minor has created an account, email admin@prolinq.me and we will delete it.

All data is encrypted in transit (TLS 1.3). At rest, Supabase uses AES-256 encryption. Passwords are hashed with bcrypt. We use Row-Level Security so one user cannot read another user's data at the database layer.

We will notify you in-app 7 days before any material change takes effect. Continued use after the notice period implies acceptance of the revised policy.

Questions or complaints: admin@prolinq.me
Grievance Officer (India / DPDPA): Prolinq Admin, admin@prolinq.me — responds within 7 working days.