Privacy Policy
This Privacy Policy explains how Otherlink Ltd (“we”, “us”), the operator of INKDASH, collects, uses and protects your personal data. We are the data controller for personal data we collect about you. We comply with the UK GDPR and the Data Protection Act 2018.
1. Data we collect
1a. Account data
- Email address and (optional) name when you sign up.
- Password hash (never the plain password) or OAuth identifier if you sign in with Google.
- Organisation name, role and membership data.
- Terms of Service consent timestamp, IP address and user agent at the time of consent.
1b. Billing data
- Billing name, address, country and VAT details (collected and stored by Stripe, not by us).
- Subscription tier, status, renewal dates and payment history metadata (we store IDs, not card numbers).
1c. Service usage & telemetry
- Device identifiers (MAC addresses), battery and signal metrics, firmware version, last contact time.
- Sensor readings (e.g. temperature, occupancy) you have chosen to record.
- Uploaded content (images, documents, notes) you provide to display on your devices.
- Server logs (request URLs, timestamps, IP addresses, error traces) retained for up to 30 days for security and debugging.
1d. Communications
- Messages you send via the support form, contact form or email.
- SMS alerts you choose to send via our SMS provider — phone numbers and message contents.
2. How we use your data
- Provide the Service — authenticate you, display your content, route alerts, and operate the dashboard.
- Billing — process subscriptions, taxes and invoices via Stripe.
- Communication — respond to your support requests, send service notifications (e.g. alert breaches, billing issues, security notices).
- Security & abuse prevention — detect fraud, rate-limit abuse, investigate incidents.
- Improve the Service — analyse anonymised usage patterns, fix bugs, prioritise features.
- Legal compliance — comply with tax, accounting and regulatory obligations.
We do not sell your personal data. We do not use your data to train third-party AI models.
3. Legal bases (UK GDPR)
- Contract — to provide the Service you have signed up for.
- Legitimate interests — to secure, debug and improve the Service.
- Legal obligation — to retain billing records and respond to lawful requests.
- Consent — for optional features such as marketing emails (you can withdraw consent at any time).
4. Sub-processors
We share data with the following processors strictly to provide the Service:
| Provider | Purpose | Region |
|---|---|---|
| Supabase | Database, authentication, file storage | EU / UK |
| Stripe | Payments, subscriptions, invoicing | EU / US (SCCs in place) |
| Fly.io | Application hosting | EU (London) |
| Sentry | Error tracking | EU |
| Telnyx | SMS alert delivery | US (SCCs in place) |
| Optional sign-in (OAuth) | US (SCCs in place) | |
| Resend | Transactional email delivery | EU / US (SCCs in place) |
International transfers are protected by the UK International Data Transfer Addendum, EU Standard Contractual Clauses, or an adequacy decision, as applicable.
5. Retention
- Account data: while your account is active, plus up to 90 days after deletion (so accidentally deleted accounts can be restored).
- Sensor readings: retained according to your subscription tier; oldest readings may be aggregated or pruned.
- Server logs: 30 days.
- Billing records: 7 years to satisfy UK tax/accounting law.
- Consent records: kept for the life of the account plus 6 years thereafter.
6. Your rights
Under the UK GDPR you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate data.
- Erase your data (“right to be forgotten”), subject to legal retention obligations.
- Restrict or object to processing.
- Data portability — export your data in a machine-readable format.
- Withdraw consent at any time (without affecting prior processing).
- Lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk).
To exercise any of these rights, email info@otherlink.io. We respond within one month.
7. Security
We protect your data with industry-standard technical and organisational measures, including HTTPS everywhere, encryption at rest (Supabase), least-privilege access, JWT-based authentication and audit logging. No system is perfectly secure; if a breach occurs that is likely to affect your rights, we will notify you and the ICO within 72 hours as required by law.
8. Cookies & local storage
We use only the cookies and local-storage entries strictly necessary to keep you signed in, remember your theme preference, and operate the dashboard. We do not set advertising or analytics cookies on the application. The landing page may set first-party analytics cookies — these can be disabled through your browser settings.
9. Children
The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
10. Changes to this Policy
We may update this Policy from time to time. Material changes will be notified by email and/or in the dashboard at least 14 days before they take effect.
11. Contact
Otherlink Ltd · London, United Kingdom · info@otherlink.io