Skip to content
OwnBio

Draft — under legal review. This content is not final and is not legal advice.

Legal

Privacy Policy

What we collect, why, who we share it with, and the choices you have.

Effective date and version: see the live privacy changelog. [[REVIEW: confirm the effective date to display here]]

The short version

1. Who we are

In short: OwnBio runs this service; contact us with any privacy question. (Summary — the full text below governs.)

OwnBio is a free link-in-bio and mobile business page service operated by [[REVIEW: legal entity name]], [[REVIEW: registered address]]. For any privacy question or request, contact [[REVIEW: privacy contact email — e.g. privacy@ownbio.app]].

2. What we collect

In short: your account email + page content; your date of birth (for age eligibility only); and, only with your permission, preferences and privacy-first analytics.

Account data: your email address and the content you add to your page. Date of birth: collected at onboarding and used only to confirm your age is appropriate for the service — never for advertising. Consent records: the privacy choices you make and the version of the notice you saw (no advertising identifiers). Functional preferences: if you allow them, your language, use case, and favorite templates, stored on your device and mirrored to your account. Analytics: if you allow it, a random analytics identifier and aggregate usage events. We do not store your raw IP address or your full browser user-agent in our privacy records — only your approximate country (ISO country code) and a coarse device class.

3. Why we use it, and our legal basis

In short: to run your account (contract), honor the choices you make (consent), keep the service safe (legitimate interest), and meet the law (legal obligation).

To provide the service and your account (contract). To remember your preferences, measure what works, and — only if you allow it — support marketing and personalized recommendations (your consent). To keep the service secure and prevent abuse (legitimate interest). To meet legal obligations, such as honoring your rights requests and confirming age eligibility (legal obligation).

4. Personalization before you sign in

In short: we tailor the page from your current visit only (like which link you clicked from), never from stored tracking, and we keep nothing.

Before you consent to anything, we may adapt what you see using only signals from your current request, read for that page render and never stored: the page path, campaign parameters in the link (UTM, for that view only), the class of site you came from (for example "Instagram" or "Google", never the full address), your approximate country, your language preference, your device class (mobile or desktop), and any intent you declared in the link. Nothing here is written to your device, and none of it identifies you.

5. Cookies and storage

In short: before you consent we set only what's strictly necessary; everything else is your choice.

We explain every cookie and storage key, and how your consent controls them, in our Cookie Policy. Before you consent we set only strictly necessary storage (including the cookie that remembers your privacy choices).

6. Your choices

In short: six categories, all off until you turn them on (except the essentials), changeable anytime, and Global Privacy Control always wins.

You control six categories: strictly necessary (always on), functional personalization, analytics, marketing, AI personalization, and email marketing. Everything except strictly necessary is off until you turn it on, and you can change your mind anytime in Privacy & cookie settings. We honor Global Privacy Control signals: when your browser sends one, marketing stays off no matter what else you have chosen.

7. Who we share it with

In short: only the service providers that help us run OwnBio. We do not sell your data, and we run no advertising trackers today.

We use service providers who process data on our behalf under contract:

  • Cloudflare — hosting, CDN, and edge runtime.
  • Supabase — database, authentication, and file storage.
  • Resend — sending transactional and (with your confirmed opt-in) email-marketing messages.
  • Google (Analytics via Google Tag Manager) — product analytics, loaded only after you grant analytics consent.

We do not sell or "share" (as defined by US privacy laws) your personal information, and we run no advertising or marketing pixels today. If we ever enable advertising partners, they would load only after you turn on marketing, and only for the specific events needed. Payment processing: [[REVIEW: payment processor, if/when paid plans launch]].

8. International transfers

In short: our providers may process data outside your country under appropriate safeguards.

OwnBio is operated from the United Arab Emirates. Your data may be processed outside your country by the providers above. Where required, transfers rely on appropriate safeguards. [[REVIEW: confirm Supabase project region + Cloudflare/Resend regions and the transfer mechanism (e.g. SCCs) to state here]].

9. How long we keep it

In short: we keep things only as long as needed, delete expired data on a schedule, and keep a few records the law requires (like unsubscribe records).

  • Account data: for as long as you have an account, then deleted or anonymized.
  • Functional preferences: about 6 months for anonymous visitors; for the life of your account otherwise.
  • Analytics events: about 90 days in raw form, then aggregated (with no identifiers) and kept up to 14 months.
  • Consent records: retained as evidence for up to 5 years, subject to a minimum log-retention floor where the law requires one.
  • Data-request records: about 3 years after completion.
  • Email suppression (unsubscribe) records: kept permanently, so we can honor your unsubscribe.

10. Your rights

In short: you can access, correct, delete, port, or object to your data, and withdraw consent anytime.

Depending on where you live, you may have the right to access, correct, delete, port, or object to the use of your data, and to withdraw consent at any time. Your date of birth and all other account data are included in access and deletion requests. When we delete, we verify the deletion across our systems before we mark it complete; a small number of records the law requires us to keep (such as unsubscribe records and consent evidence within its retention window) are retained on that legal basis. To exercise a right, contact [[REVIEW: rights request contact / DSR email]]. You can withdraw consent yourself anytime in Privacy & cookie settings.

11. Region-specific rights

In short: the same controls apply everywhere; here is how they map to your local law.

UAE (PDPL): we operate on a consent-default basis and honor access, correction, deletion, restriction, portability, objection, and consent-withdrawal requests; you may also complain to the UAE Data Office. [[REVIEW: designate a UAE contact/representative if required]]

EU / UK (GDPR / UK GDPR): our legal bases are described in section 3; you have the rights in section 10 and may lodge a complaint with your supervisory authority (in the UK, the ICO). International transfers rely on the safeguards in section 8. [[REVIEW: EU/UK representative under Art. 27, if required]]

California (CCPA/CPRA): we collect the categories in section 2, for the purposes in section 3. We do not sell or share your personal information, and we honor Global Privacy Control as an opt-out signal. We do not discriminate against you for exercising your rights. Use "Your Privacy Choices" in the footer or Privacy & cookie settings.

India (DPDP): you have rights of access, correction, erasure, and grievance redress. We are preparing for full DPDP obligations, which take effect in stages (with broader requirements expected from 2027). [[REVIEW: designate a grievance officer + timeline when DPDP rules require it]]

Saudi Arabia (PDPL): we process on a consent basis for marketing and honor withdrawal and access/correction/deletion requests.

12. Children and age

In short: we ask your date of birth to confirm eligibility, and under-18s get no marketing or behavioral profiling.

OwnBio is not for children under 13, and we do not knowingly collect their data. We ask your date of birth at onboarding solely to confirm eligibility. If you tell us you are under 18, we do not show you marketing or email-marketing options and we never run behavioral profiling or advertising audiences for your account. In India, the service is not directed to anyone under 18.

13. AI personalization

In short: recommendations use only what you told us, never your behavior unless you allow it, and never sensitive inferences.

Smart recommendations suggest templates and order your links using only the answers you gave us (your use case, audience platform, and goal). Behavioral personalization — learning from what you do on the site — is off unless you turn on AI personalization. We never infer sensitive categories such as religion, health, ethnicity, sexuality, or political views; our recommendation inputs simply do not include anything like that. We do not make decisions with legal or similarly significant effects about you automatically.

14. Changes

In short: significant changes are versioned and, where required, we ask again for consent.

If we make a significant change, we will update the version and effective date and, where required, ask for your consent again. Our version history is on the Trust page.

15. Contact

Privacy questions or requests: [[REVIEW: privacy contact email]]. Security reports: [[REVIEW: security contact email, e.g. security@ownbio.app]]. Legal / law enforcement: [[REVIEW: legal contact email, e.g. legal@ownbio.app]].

Build your free OwnBio page before your next visitor arrives.

Claim your handle, add your links, capture enquiries, and share it anywhere — free forever.

No credit card · No ads · No forced watermark · Privacy-first