Privacy Policy

Privacy Policy


Company: Compatha trading as Compatha
Contact:  privacy@compatha.com, support@compatha.com

1. Introduction — scope & purpose

Compatha (“we”, “us”, “our”) provides a cloud-based SaaS platform for link shortening, QR codes, bio/landing pages, splash pages, CTA overlays, analytics and related features (the “Service”). This Privacy Policy explains what personal data we collect, how we use it, who we share it with, your choices and rights, and how we protect personal data. This policy applies to all users of the Service and visitors to our websites.

We aim to be transparent and to comply with applicable privacy laws (including the EU General Data Protection Regulation where applicable and the California Consumer Privacy Act / CPRA for California residents). 

2. Summary (quick answers)

  • What we collect: account & contact data, billing data, payment token (via payment processor), usage & click analytics (including IP, device, geolocation by IP), content you upload (bio pages, landing pages), cookies, and support communications.

  • Why we collect it: to provide the Service (contracts), secure and improve the Service (legitimate interests), comply with law (legal obligations), and for marketing with consent or lawful basis.

  • Who we share with: authorized processors (payment providers, email providers, hosting/CDN, analytics), law enforcement where required, and third-party integrators you enable. We use processors such as Stripe, PayPal, Mailchimp, Google Analytics, Cloudflare, and others — see §10. 

  • Your rights: access, correction, deletion, data portability, restriction/objection, withdraw consent — depending on your jurisdiction (GDPR/CCPA details below). 

Read the full policy below for details.

3. Personal data we collect (categories & examples)

We collect the following categories of personal data depending on how you use the Service:

Identity & contact data

  • Name, company name, job title, email address, phone number (when provided during registration or support).

Account & authentication data

  • Username, hashed password, API keys, OAuth tokens when you enable social login.

Billing & payment data

  • Billing address, invoice details, and payment transaction metadata. We do not store full card numbers — payments are processed through third-party payment processors (e.g., Stripe, PayPal). See §10. 

User-generated content

  • Links you shorten, landing/bio page content (text, images, files), QR code metadata, custom domains you configure.

Usage, analytics & logs

  • Clicks on shortened links, timestamps, referrers, device type, browser, operating system, IP address, approximate geolocation derived from IP, session identifiers, and performance metrics.

Support & correspondence

  • Support tickets, chat logs, email correspondence and troubleshooting information.

Cookies and tracking

  • Cookies and similar technologies that remember preferences, enable login, and collect analytics (see §12 Cookies).

4. How we collect personal data

  • Directly from you: when you sign up, create links/pages, contact support, or provide data in the dashboard.

  • Automatically: via logs, cookies, and analytics when you or visitors click links or visit generated pages.

  • From third parties: when you connect third-party integrations (e.g., when you connect Mailchimp, analytics accounts, or enable social login) or when payment processors provide transaction metadata.

5. Purposes of processing & legal bases

We process personal data for these core purposes:

  1. To provide and operate the Service (contract performance). Creating and managing accounts, generating links and pages, delivering content, billing and invoicing. (Legal basis: performance of a contract.)

  2. Security, fraud prevention & abuse detection (legitimate interests). Protecting accounts, scanning links against threat lists, rate-limiting bots, investigating abuse. (Legal basis: legitimate interests; we balance these interests against user rights.) 

  3. Service improvement & analytics (legitimate interests / consent for certain tracking). Aggregated and anonymized analytics to improve features and performance.

  4. Communications & support (contract performance / legitimate interests). Sending account notifications, transaction receipts, security alerts, and responding to support requests.

  5. Marketing (consent or legitimate interests depending on jurisdiction). Sending product updates and promotional emails; you may opt out at any time.

  6. Legal compliance (legal obligations). Processing necessary to comply with court orders, law enforcement, tax obligations, and regulatory requirements.

If you are in the EU/EEA, we will identify the specific lawful basis for each processing activity on request. See ICO guidance on lawful bases. 

6. Recipients — who we share personal data with

We share personal data with:

  • Service providers / processors who support our operations (hosting, CDN, payments, email delivery, analytics, monitoring, crash reporting). Examples: AWS, Cloudflare, Stripe, PayPal, Mailchimp, Google Analytics. These providers act as processors and process data under contract. 

  • Customers: If you use Compatha to operate a public bio/landing page, visitors to that page may see content you publish. You are responsible for any personal data you publish on public pages.

  • Third-party integrations you enable: data shared with third-party apps you connect (e.g., CRM or marketing tools) per your authorization.

  • Law enforcement or regulators where required by law or to protect rights and safety.

  • Acquirers or affiliates: in case of sale, merger, or reorganization we may transfer data as part of business assets, subject to confidentiality.

We require processors to implement reasonable security measures and only process data as instructed.

7. International transfers & safeguards

Because we use global processors and host data internationally, data may be transferred to and processed in countries outside your jurisdiction (including the U.S.). Where required by law (e.g., transfers from the EEA), we use appropriate safeguards such as EU Standard Contractual Clauses (SCCs) or other lawful mechanisms. For EU customers, we can provide executed SCCs on request. 

8. Data retention (how long we keep data)

We retain personal data only for as long as necessary for the purposes described and to satisfy legal, tax, or accounting obligations. Typical retention periods (customize to your policy and legal advice):

  • Account information: until account termination plus 1 year (or as required to respond to disputes).

  • Billing and payment records: 7 years (for tax and accounting).

  • Click & analytics logs: default 24 months (configurable per customer preferences); aggregated anonymized analytics may be kept indefinitely.

  • Backups: up to 90 days.

  • Support tickets and correspondence: 3 years (or as needed).

Choose retention periods that meet legal obligations and business needs, and publish them in your privacy or data retention policy. (These are suggested defaults — adapt to local law & counsel.)

9. Your rights & how to exercise them

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you;

  • Correct inaccurate or incomplete data;

  • Request deletion (the “right to be forgotten”) — subject to legal exceptions;

  • Object to or restrict processing where we rely on legitimate interests;

  • Data portability (receive a copy in a structured, machine-readable format);

  • Withdraw consent where processing relies on consent;

  • Opt-out of sale/sharing if applicable under local law (e.g., CCPA/CPRA).

To exercise your rights, contact us at privacy@compatha.com or use the self-service controls in your account (where available). We will respond within the timeframes required by applicable law. For California residents, see §15 (CCPA/CPRA) for specific procedures. 

10. California residents (CCPA / CPRA) — summary

If you are a California resident, you may have additional rights under the CCPA/CPRA, including:

  • Right to know categories of personal information collected, sold, or disclosed;

  • Right to request deletion of personal information;

  • Right to opt out of sale of personal information (we do not sell personal information for monetary consideration — if that changes we will provide a clear “Do Not Sell” link);

  • Right to non-discrimination for exercising privacy rights.

To make a request if you are a California resident, email privacy@compatha.com or use the designated form at [link to CCPA request form]. We will verify your request per CCPA requirements. For more details about CCPA obligations and notices at collection, see California AG guidance. 

11. Cookies & tracking technologies

We and our partners use cookies, local storage, and similar technologies to operate the Service, secure accounts, remember preferences, and analyze usage. Types:

  • Strictly necessary cookies — required for the Service (login, security).

  • Performance & analytics cookies — collect aggregated usage (Google Analytics).

  • Functional cookies — remember user preferences and settings.

  • Marketing cookies — used for advertising and remarketing if enabled or consented.

You can manage cookie preferences via the cookie banner (if shown) and browser settings. Disabling certain cookies may affect functionality. For detailed cookie list and opt-out instructions, see our Cookie Policy at [link to cookie policy].

12. Security measures

We implement commercially reasonable technical and organizational safeguards (encryption in transit, access controls, logging, monitoring) to protect personal data. However, no system is completely secure. If we learn of a security breach that affects your personal data, we will follow applicable law for notification and remediation.

13. Data controller vs. data processor — who is responsible?

  • Compatha as controller: For personal data collected as part of providing our Service (account info, usage logs, billing), Compatha is generally the data controller and responsible for how we process that data.

  • Customer as controller for their end-users: When a customer uses Compatha to collect or publish data about its end-users (for example, a publisher’s audience clicking a shortened link), that customer typically acts as the controller for those end-user data and is responsible for complying with applicable privacy laws toward those end users. We act as a processor for that data and process it only according to the customer’s instructions and our processor agreements. This division of responsibility is important — customers should ensure they have appropriate notices and lawful bases for collecting their end-user data.

If you need a Data Processing Agreement (DPA) or SCCs for transfers, contact privacy@compatha.com.

14. Third-party services & embedded content

Our Service may include links, widgets, or integrations with third-party providers (e.g., Mailchimp for newsletters, Stripe/PayPal for payments, Google Analytics for product analytics, Cloudflare for CDN). Those providers have their own privacy policies and may process personal data independently. We encourage you to review their privacy policies before enabling integrations. 

15. Minors

Our Service is not directed at children under [13/16 — choose local minimum]. We do not knowingly collect personal data from children. If you believe we have collected data from a child in violation of this policy, contact privacy@compatha.com to request deletion.

16. Automated decision-making & profiling

We may use automated systems to aggregate usage data and perform analytics. We do not make automated decisions having legal or similarly significant effects on individuals. If you are subject to such automated decisions (e.g., fraud scoring), we will provide required disclosures and rights where applicable.

17. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be posted with an updated effective date and, where required, notified to registered users by email. For guidance on privacy notice content and updates see ICO resources. 

18. Contact & complaints

Questions, requests, or complaints about this Privacy Policy or our data practices: email privacy@compatha.com or write to:

[Company legal name]
[Address]
Attn: Privacy Team / DPO (if applicable)

If you are in the EU/EEA and you believe we have violated your privacy rights, you may lodge a complaint with your local Data Protection Authority (DPA).

19. Data request procedures & verification

We will verify identity before fulfilling data access, deletion, or portability requests to protect accounts from unauthorized access. For California residents, we will follow CCPA verification rules. See §10 for contact details.

20. Retention & deletion requests from visitors to public pages

If a visitor believes personal data (e.g., a name) appears on a public bio or landing page and requests removal, the owner of that page (the account that created it) controls the content. We may assist in removing content upon verified legal requests or where content violates our Acceptable Use Policy. Contact privacy@compatha.com for takedown requests.

21. Auditability & Data Processing Agreement (DPA)

We are prepared to sign a DPA with customers and to provide reasonable information about our security and processing practices. For customers requiring SCCs or other transfer mechanisms, contact privacy@compatha.com. The European Commission’s SCCs are a common safeguard for cross-border transfers. 

22. Legal bases & more detail (EU/EEA users)

If you are an EU/EEA resident, we process personal data under lawful bases such as contract performance, legitimate interests, consent (where required), and legal obligations. For more detail on the lawful basis used for each processing activity contact privacy@compatha.com. See ICO guidance on what privacy notices must include. 

23. Developer & API notes (for technical users)

If you use Compatha’s API or embed SDKs, you should design your integration to respect user privacy. API keys should be kept secret, and any personal data transferred via the API is processed under this Privacy Policy.

24. International transfers — specifics

International transfers occur when personal data are stored or processed outside the country where the data subject resides. When transfers are from the EEA, we rely on SCCs or other safeguards; for transfers to the U.S., we use contractual protections and appropriate measures. Contact privacy@compatha.com for copies of SCCs or transfer addenda. 

25. Independent resources & references

This policy was drafted using public guidance and common SaaS practice documents (guidance from the UK ICO and California AG, modern SCCs, and example policies from major processors). See: ICO guidance on privacy notices, CCPA guidance from the California AG, EU SCCs (European Commission), Stripe and Mailchimp privacy pages for examples of SaaS processor practices. 

26. Final notes & recommended next steps

  1. Fill placeholders (company legal name, address, DPO email, effective date).

  2. Choose and document retention periods aligned with local law and tax requirements.

  3. Prepare a Data Processing Agreement (DPA) for customers; make SCCs available for EU customers.

  4. Publish a cookie policy and cookie banner if you use analytics and tracking (with opt-in where required).

  5. Ask legal counsel to review — privacy obligations vary by jurisdiction and the final policy must be adapted.