GDPR Approach

This page describes how LINK-V approaches GDPR when handling personal data within our products and engagements — Grace Mail, Timeless, and Custom builds. It supplements (and does not replace) the data processing terms in your contract or Data Processing Agreement when one is signed.

For information about how the link-v.pro website itself handles visitor data, see our Privacy Policy.

1. Roles

Whether LINK-V is a controller, processor, or neither depends on the product:

• Grace Mail Managed: LINK-V is a processor. The client is the controller of their own mail data. LINK-V operates the infrastructure; the data belongs to the client.
• Grace Mail Self-hosted: LINK-V is neither controller nor processor. The client runs the software on their own infrastructure. LINK-V is the software vendor, not a data handler.
• Timeless: LINK-V is typically a processor for client website data, including content the client publishes and any visitor data the site processes. The client remains the controller of their site's data.
• Custom builds: LINK-V is a processor during development and, where ongoing maintenance is contracted, during operation. Specific roles are defined in the contract for each engagement.

2. EU-based by default

Production infrastructure runs in the EU by default. Hosting, mail servers, and operational systems are located in EU jurisdictions. When a client engagement specifically calls for hosting elsewhere — for example, a US-based business with US-based users — we deploy in the appropriate region. Data location is documented per project.

3. What we don't do

Across all products and engagements:

• We do not sell, rent, or share personal data with third parties for advertising, marketing, or any commercial purpose unrelated to delivering the contracted service.
• We do not train AI models on client data, including the contents of mailboxes processed through Grace Mail.
• We do not scan message content for advertising profiles, behavioral targeting, or commercial recommendations.
• We do not retain data beyond what is operationally and legally necessary.

4. Security

Personal data handled by LINK-V infrastructure is protected by standard technical and organizational measures: TLS encryption for all connections, AES-256 disk encryption at rest where applicable, encrypted backups, access controls limited to operational necessity, and ongoing security monitoring. Specific security configurations for individual engagements are documented in the contract.

5. Subprocessors

Where LINK-V uses third-party providers to deliver services (such as infrastructure hosting), we work only with providers whose own GDPR posture is sound and whose data processing terms are acceptable. The current list of subprocessors used in any specific engagement is provided to clients on request and disclosed in the Data Processing Agreement when one is signed.

6. Data subject requests

When LINK-V is a processor, requests from data subjects (the people whose data is being processed) are handled by the controller — typically our client. We support our clients in responding to such requests by providing the technical means to fulfill them: data exports, deletion, restriction, or correction within the systems we operate.

When a data subject contacts LINK-V directly about data processed on behalf of a client, we route the request to the appropriate controller and inform the data subject accordingly.

7. Retention and deletion

Retention periods follow contract terms and applicable law:

• Active clients retain operational data while their subscription or engagement is active.
• On termination, data exports are made available in standard, machine-readable formats. We do not hold client data hostage.
• After exit, we delete or anonymize data following the periods defined in the contract, subject to any statutory retention obligations (such as accounting records under Czech tax law).

8. Incident response

We maintain monitoring across our infrastructure. In the event of a confirmed personal data breach affecting client data, we notify the affected controller without undue delay — typically within 24 hours of confirming the incident — alongside an initial assessment and remediation steps. We support controllers in meeting their own notification obligations under Article 33 GDPR where required.

9. International transfers

By default, personal data stays within the EU. Where international transfers occur — by client request, or through a specific subprocessor relationship — they are based on appropriate legal mechanisms (standard contractual clauses or other GDPR-compliant safeguards). Transfer arrangements are documented per engagement.

10. Data Processing Agreements

For client engagements where LINK-V acts as a processor, a Data Processing Agreement (DPA) defines the specific processing terms, including categories of data, processing purposes, sub-processors, security measures, and the parties' respective obligations under GDPR. DPAs are negotiated and signed as part of the engagement contract on request.

11. Changes

We may update this page from time to time to reflect changes in our products, processes, or applicable law. The "last updated" date at the top indicates when the page was most recently revised.

12. Contact

For GDPR-related questions about LINK-V's products and engagements, contact privacy@link-v.pro.

For website-specific privacy questions, see our Privacy Policy.