Privacy Policy

MASK ("we," "us," "our") operates the link management platform at mask.pk. This Privacy Policy explains how we collect, use, store, share, and protect your data when you use our platform, visit our website, or interact with links, Bio Pages, QR codes, or other content created through our Service.

This policy should be read together with our Terms of Service and Cookies Policy.

Account data. Name, email address, password (stored as a cryptographic hash, never in plaintext), and organization name when you register. If you sign in via a third-party provider (e.g., Google), we receive your name, email, and provider account identifier. We never receive or store your third-party password.

Workspace data. Workspace names, member invitations, role assignments, branding preferences, and configuration settings.

Content data. Links, Bio Page content, QR code configurations, campaign details, custom domains, tags, templates, link rules (device-based, geographic, schedule-based routing), A/B test configurations, and social preview metadata you create.

Subscriber data. Email addresses and metadata collected through your Bio Page subscribe forms, lead magnets, and newsletter sign-ups. If you use email campaigns, we store subscriber lists, campaign content, delivery status, and engagement metrics on your behalf. You are the data controller for subscriber data you collect.

Billing data. Subscription plan selection and billing history. Payment card details are processed and stored exclusively by Stripe and are never stored on our servers.

Analytics data. When someone clicks a link, visits a Bio Page, or scans a QR code, we collect: anonymized or truncated IP address, approximate geographic location (country level on free plans, city level on paid plans), device type, operating system, browser type, referring URL, and timestamp.

Session and security data. IP address, device type, browser, session timestamps, login attempts, two-factor authentication status, and suspicious activity indicators for authenticated sessions.

Usage data. Feature usage patterns, session duration, API call volumes, webhook delivery logs, and error logs.

Audit log data. Administrative and security-relevant actions within Workspaces, including who performed the action, action type, affected resource, and timestamp.

Integration data. If you connect third-party services (Slack, Zapier, Stripe), we receive authentication tokens and event data necessary for integration functionality. If you connect your Stripe account, we receive payment notifications including transaction amounts, currency, customer email (if provided by Stripe), and payment status.

Affiliate data. If you join the Affiliate Programme, we collect referral link usage, referred sign-ups, commission amounts, and payout method details (bank account, PayPal, or Wise).

Communication data. Information you provide when contacting support, submitting reports, or using our contact form.

We use collected data for the following purposes:

• Provide the Service. Operate link redirection, Bio Page hosting, QR code generation, analytics dashboards, campaign management, A/B testing, templates, subscriber collection, email delivery, and integrations.
• Authenticate and secure. Manage sessions, enforce access controls, role-based permissions, approval workflows, and two-factor authentication.
• Process billing. Handle payments, manage subscriptions and expansion packs, generate invoices, and calculate affiliate commissions.
• Prevent abuse. Detect and respond to fraud, spam, phishing, bot activity, suspicious clicks, and Terms violations.
• Maintain audit trails. Log administrative actions for compliance, governance, and troubleshooting.
• Improve the product. Analyze anonymized and aggregated usage data to develop and improve features.
• Communicate. Send service updates, security alerts, billing notifications, and, where you have opted in, marketing communications.
• Comply with law. Meet legal obligations and respond to lawful requests from authorities.

Bio Pages and links you create through the Service may be publicly accessible by design. When you publish a Bio Page or create a link, visitors can view the page content and follow the link.

Public pages and links include analytics tracking by default. When visitors interact with your content, data is collected automatically for performance measurement, security monitoring, and abuse detection. This includes anonymized IP addresses, device information, geographic location, referral source, and timestamps. This data is made available to you through the analytics dashboard.

You are responsible for disclosing this data collection to your visitors under applicable privacy laws. If you create shareable reports or public analytics pages, that data is accessible to anyone with the URL. Password-protected reports require the configured password.

We use cookies to maintain your session, remember preferences, and understand how the platform is used. We do not use third-party advertising cookies or participate in cross-site tracking networks.

For full details on what cookies we use and how to manage them, see our Cookies Policy.

We share data with third parties only in limited circumstances:

• Infrastructure providers. Cloud hosting and content delivery for operating the Service.
• Payment processor. Stripe processes subscription payments, expansion pack billing, and affiliate payouts. They receive billing information necessary to complete transactions. Your use of payment features is also subject to the payment provider's own privacy policy and terms. MASK does not store payment card details on its servers.
• Email delivery. Third-party services deliver transactional emails and email campaigns on behalf of workspace owners.
• Your integrations. When you configure API keys, webhooks, or integrations (Slack, Zapier), data flows to the systems you designate. You are responsible for those systems.

We do not sell, rent, or trade your personal data. We may disclose data if required by law, to protect our rights or safety, or in connection with a business transfer (merger, acquisition, or asset sale).

• Account data. Retained while your account is active and for thirty (30) days after deletion to allow data export.
• Analytics data. Retention varies by plan. Free plans retain thirty (30) days of data. Paid plans retain data according to plan entitlements. Enterprise customers may negotiate custom retention.
• Billing and transaction data. Retained for a minimum of seven (7) years for tax and financial reporting compliance.
• Audit logs. Thirty (30) days on Growth plans. Indefinite on Enterprise plans.
• Subscriber and campaign data. Retained while your Workspace is active. You may delete subscriber data at any time.
• Affiliate data. Commission and payout records retained for a minimum of seven (7) years after programme participation ends.
• Anonymized data. May be retained indefinitely as it cannot identify individuals.

You may request deletion of your data at any time. We will delete or anonymize your personal data within thirty (30) days of a verified request, except where retention is legally required.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access. Request a copy of the personal data we hold about you.
• Correction. Request correction of inaccurate or incomplete data.
• Deletion. Request deletion of your personal data, subject to legal retention requirements.
• Restriction. Request that we restrict processing of your data in certain circumstances.
• Portability. Receive your data in a structured, machine-readable format.
• Objection. Object to processing based on legitimate interests.
• Withdraw consent. Where processing is based on consent, withdraw it at any time.
• Complaint. Lodge a complaint with a supervisory authority in your jurisdiction.

To exercise these rights, contact privacy@mask.pk. We respond to verified requests within thirty (30) days.

We process personal data on the following bases under GDPR:

• Contract. Processing necessary to provide the Service, manage your account, and fulfill subscriptions.
• Legitimate interests. Platform security, fraud prevention, abuse detection, and service improvement, balanced against your rights.
• Legal obligation. Tax regulations, financial reporting, and lawful authority requests.
• Consent. Marketing communications and optional cookies. You may withdraw consent at any time.

MASK as controller. We are the data controller for personal data collected from registered users (account information, billing, usage data).

MASK as processor. When we collect analytics data on behalf of our users (click data, page views from visitors), we act as a data processor. Workspace owners are the data controllers for such data and are responsible for ensuring appropriate legal bases and consent.

The Service may be hosted across multiple jurisdictions. Where personal data is transferred to countries without an adequacy decision from the European Commission, we ensure appropriate safeguards including Standard Contractual Clauses, data processing agreements with sub-processors, and technical measures (TLS 1.2+ encryption in transit, encryption at rest).

Contact privacy@mask.pk for details on safeguards applied to specific transfers.

We implement technical and organizational measures to protect your data:

• Encryption in transit (TLS) and at rest for sensitive data.
• Cryptographic hashing of passwords and API keys.
• Two-factor authentication available for all accounts.
• Role-based access control with granular permissions.
• Enterprise security policies (mandatory 2FA, session limits, SSO-only access).
• Regular security assessments and code reviews.
• IP anonymization for analytics data.

No system is completely secure. We cannot guarantee absolute security but will promptly address incidents in accordance with our response procedures and applicable breach notification laws. In the event of a breach likely to risk your rights, we will notify the relevant authority within seventy-two (72) hours and affected individuals without undue delay.

The Service is not directed at individuals under eighteen (18). We do not knowingly collect personal data from anyone under 18. If we learn we have collected data from someone under 18, we will promptly delete it. Contact privacy@mask.pk if you believe a minor has provided us with personal data.

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated via email or in-app notification at least thirty (30) days before taking effect. Continued use after the effective date constitutes acknowledgment of the updated policy.

For questions about this Privacy Policy or your data:

• Privacy: privacy@mask.pk
• Security: security@mask.pk
• Legal: legal@mask.pk
• Support: support@mask.pk

We respond to all inquiries within thirty (30) days.