Data Processing
Addendum

Effective 01 July 2023

1. Protecting personal data

Your and our handling of personal data through Alllinks.one is governed by European laws ("EU Data Protection Laws").

2. Responsibilities

This Data Processing Addendum ("DPA") applies when EU Data Protection Laws cover your Alllinks.one use and is part of our Terms. Our duties depend on whether we are a "controller" or "processor" of this data (see table).

Controller Processor
You
  • You primarily control the personal data within your content and about your Profile Visitors (collectively, "Profile Data").

    N/A
Alllinks.one

Alllinks.one may also control Profile Data to:

  • Enforce our Community Standards by reviewing content and taking necessary actions.
  • Analyze user engagement to offer insights and recommendations.
  • Generate statistics on link locking for platform analytics.
  • Utilize our cookies for analyzing Profile Visitor data.

(These are our "Controller Services")

We also process Profile Data for you to:

  • Enable content publishing (directly or via embedded links).
  • Gather data from visitor interactions (e.g., contact forms, payments).
  • Provide link-locking features.

(These "Processor Services" help us deliver our platform to you under our Terms).

3. Controller Services

Regarding Controller Services, the responsibilities of each party are detailed in the table below. Any additional obligations under EU Data Protection Laws concerning these Controller Services remain the individual responsibility of each party.

No. Controller duties Alllinks.one You
A A legal basis For the execution of Controller Services, Alllinks.one relies on its legitimate interests and those of its users. You must identify a legal basis for the processing that you undertake, by letting us carry out the Controller Services.
B Providing Information to Individuals (Data Subjects) Alllinks.one's Privacy Notice details our personal data processing for Controller Services. You must provide notice to Data Subjects about (i) your role in letting Alllinks.one process their data to carry out the Controller Services; and (ii) any other processing that you undertake.
C Complying With Data Subject Requests Alllinks.one is responsible for handling Profile Visitors' rights concerning the personal data we store for Controller Services. Upon your notification of a Data Subject rights request or a supervisory authority communication ("Request"), we will address it within our responsibilities under this DPA. We will also provide reasonable assistance to you, upon request, to help you comply with EU Data Protection Laws.

You are responsible for addressing Data Subjects’ rights with respect to your role in letting us carry out the Controller Services.

Where you have received a Request, you are not allowed to answer on Alllinks.one’s behalf. You will promptly share all relevant info with us (within a max. of 7 days) and provide any reasonable assistance that we request, to enable us to meet our obligations under EU Data Protection Laws.
D Securing Profile Data Alllinks.one will implement suitable technical and organizational security measures to address the risks associated with the Controller Services, specifically protecting personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, You will keep your password secure and ensure that you do not do anything that could compromise the security of the personal data processed as part of the Controller Services.

4. Processor Services

When you act as the 'controller' for Profile Data under applicable data protection laws, you bear the responsibility for its processing. In our role as a 'processor' for the Processor Services, Alllinks.one will adhere to your documented instructions and comply with our obligations under EU Data Protection Laws. Specifically, we will:

  • Process Profile Data strictly in accordance with our Terms. Should we become aware of any processing for the Permitted Purpose that infringes EU Data Protection Laws, we will promptly inform you.
  • Ensure that all personnel authorized by us to process Profile Data are bound by strict confidentiality obligations.
  • Implement and maintain appropriate technical and organizational measures designed to safeguard Profile Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
  • Notify you without undue delay if we confirm a personal data breach involving Profile Data.
  • You consent to our engagement of third-party subprocessors to process Profile Data for the Permitted Purpose, subject to the following conditions: (i) we will maintain and update a list of subprocessors in our Privacy Notice, notifying you of changes before implementation; (ii) we will impose data protection terms on each subprocessor that are at least equivalent to the standards required by EU Data Protection Laws; and (iii) we remain liable for any breach of this DPA caused by a subprocessor. You have the right to object to a new or replacement subprocessor based on reasonable data protection grounds. If such an objection is raised, we will either not appoint or replace the subprocessor, or if this is not feasible, you may suspend or terminate your account (without a refund of prepaid fees).
  • Considering the nature of the processing, we will provide you with reasonable and timely assistance (at your cost) to facilitate your completion of legally required data protection impact assessments and to respond to: (i) requests from individuals exercising their rights under EU Data Protection Laws; and (ii) any inquiries or complaints from individuals, regulators, or third parties related to our processing of Profile Data.
  • Upon termination of your account, we will delete all Profile Data in our possession or control that was processed for the Processor Services, unless applicable law mandates its retention.
  • Upon your request, we will provide copies of relevant security certifications or other necessary documentation to demonstrate our compliance with this DPA concerning the Processor Services. These documents will be subject to the confidentiality provisions outlined in the Terms.

5. International Data Transfers

Both parties agree to comply with EU Data Protection Laws concerning the transfer of personal data to third countries. Specifically, where you transfer personal data from the European Economic Area (EEA) or the United Kingdom (UK) to us, the Data Transfer Addendum (provided below) is an integral part of and incorporated into this DPA.

6. Definitions

Terms used within this DPA but not specifically defined herein shall have the same meanings as ascribed to them in the Terms. Additionally, the following definitions apply within this DPA:

  • 'EU Data Protection Laws' refers to either (as applicable) Regulation (EU) 2016/679 (the 'EU GDPR') or the EU GDPR as it has been incorporated into UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the 'UK GDPR').
  • 'Controller', 'processor', 'personal data' and 'data breach' shall have the meanings respectively assigned to them under Data Protection Laws.

Data Transfer Addendum

This Data Transfer Addendum is applicable to you if your use of the Alllinks.one account is governed by EU Data Protection Laws. It constitutes an integral part of both the DPA and the Terms; however, in the event of any inconsistencies between this Data Transfer Addendum and the DPA or the Terms, the provisions of this Data Transfer Addendum shall prevail.

1. Appropriate Safeguards

In instances where the transfer of Profile Data from you to us qualifies as a Restricted Transfer:

  • (a) For personal data protected under the EU GDPR, the Controller to Controller Standard Contractual Clauses (SCCs) will apply to the Controller Services, and the Controller to Processor SCCs will govern the Processor Services.
  • (b) Concerning personal data protected by the UK GDPR, the EU SCCs, as specified in section 1(a) above, will be applicable. Furthermore, these EU SCCs will be considered amended as detailed in Part 2 of the UK Addendum, which is hereby deemed to be entered into and incorporated into this Data Transfer Addendum by this reference.

2. Definitions

Terms utilized within this Data Transfer Addendum shall have the same meanings as defined in the Terms and the DPA. Additionally, the following definitions shall apply specifically to this Data Transfer Addendum:

  • "Restricted Transfer" means: (i) where the EU GDPR is applicable, a transfer of personal data from the EEA to a country located outside the EEA that has not been recognized by the European Commission (“EC”) as providing an adequate level of data protection; and (ii) where the UK GDPR is applicable, a transfer of personal data from the UK to any other country that is not subject to adequacy regulations issued pursuant to Section 17A of the United Kingdom Data Protection Act 2018.
  • "Controller to Controller SCCs" refers to Module One of the Standard Contractual Clauses annexed to the EC’s Implementing Decision (EU) 2021/914 of 4 June 2021, wherein: (i) for the purposes of Clause 17, Irish law shall govern; (ii) in Clause 18(b), disputes shall be resolved by the courts of Ireland; and (iii) Annex I shall be completed as outlined in Clause 3 of this Data Transfer Addendum, and Annex II shall be completed as detailed in the Alllinks.one Security Measures.
  • "Controller to Processor SCCs" refers to Module Two of the Standard Contractual Clauses annexed to the EC’s Implementing Decision (EU) 2021/914 of 4 June 2021, wherein: (i) in Clause 9, Option 1 shall apply, and the timeframe for providing prior notice of Subprocessor changes shall be as specified in Clause 4 of the DPA; (ii) in Clause 17, Option 1 shall apply, and Irish law shall govern; (iii) in Clause 18(b), disputes shall be resolved by the courts of Ireland; and (iv) Annex I shall be completed as outlined in Clause 3 of this Data Transfer Addendum, and Annex II shall be completed as detailed in the Alllinks.one Security Measures.
  • "EU SCCs" collectively refers to the Controller to Controller SCCs or the Controller to Processor SCCs, as applicable depending on the nature of the data transfer.
  • "UK Addendum" means the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the Information Commissioner’s Office under s.119A(1) of the UK Data Protection Act 2018. Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed with the relevant information from the EU SCCs, as outlined in Clause 3 of this Data Transfer Addendum, and the option “Importer” shall be deemed checked in Table 4.

3. Annex to the GDPR

A. LIST OF PARTIES

Data Exporter Data importer
Name, address and contact details As specified in your Alllinks.one account. Alllinks.one Pty Ltd of 1-9 Sackville Street, Collingwood, VIC 3066.
Activities relevant to the data transferred under these SCCs Sending personal data to Alllinks.one in accordance with the Terms. Receiving and processing personal data from you in accordance with the Terms.
Role Controller

Controller for the Controller Services.


Processor for the processor Services.

B. DESCRIPTION OF TRANSFER

Categories of Data Subjects whose personal data is transferred Alllinks.one users
Categories of personal data transferred
  • Contact Information: Includes name, account email(s), and username (with URL).
  • PRO User Details: Encompasses name, payment email, billing address, and payment method.
  • Other Data: Covers user marketing choices, industry/vertical, and hashed password.
  • Profile Content: Consists of profile title, image, biography, link titles/descriptions, social media links, and embedded media (e.g., videos, donation links) within a Alllinks.one profile.
  • Device Information: Comprises IP address, language preference, browser type, time zone, webpage visit duration, unique device IDs, other diagnostic logs, and application data.
Sensitive data transferred None
Nature of the processing Alllinks.one's platform enables audience connection to your online locations, improving content visibility and organization.
Purpose(s) of the data transfer and further processing The provision of services as per the agree

C. COMPETENT SUPERVISORY AUTHORITY

The competent supervisory authority will be identified as per Clause 13. Determined in accordance with Clause 13 of the EU Standard Contractual Clauses.