ConnectLink
Start free →

Privacy Policy

Last updated: March 13, 2026

1. Who We Are

ConnectLink is operated by xLabs Solutions LLC ("xLabs," "we," "us," or "our"), based in Miami, Florida. ConnectLink is a client-onboarding and asset-delegation platform that enables marketing agencies to request and receive access to their clients' advertising accounts and business assets on supported third-party platforms through guided, platform-native authorization flows.

This Privacy Policy explains how we collect, use, share, and protect information when you use ConnectLink, including the ConnectLink application, onboarding links, and related services (collectively, "the Service").

2. Information We Collect

2.1 Information you provide directly

  • Account information: Name, email address, company name, and password when you register for an account.
  • Payment information: Billing details provided during purchases, processed securely by Stripe. We do not store full payment card numbers on our systems.
  • Communications: Any information you provide when contacting us for support or sending feedback.

2.2 Information collected through platform integrations

  • OAuth authorization tokens: When you connect a third-party platform (such as Meta or Google) through ConnectLink, the platform issues an authorization token that allows us to perform the specific actions you authorized. These tokens are encrypted at rest using AES-256-GCM and stored in our secure backend infrastructure. Raw tokens are never exposed to the ConnectLink user interface.
  • Platform identity information: Basic profile information provided by the third-party platform during authorization (such as your user ID, name, and email) to verify your identity.
  • Business and asset metadata: Lists of advertising accounts, business pages, pixels, catalogs, and similar asset identifiers retrieved from connected platforms to support the asset selection and delegation workflow. This metadata is retained only for as long as reasonably necessary to operate, secure, and troubleshoot the Service.

2.3 Information collected automatically

  • Usage data: Information about your interactions with the Service, including links created, sessions completed, and features used.
  • Cookies and session data: We use session cookies for authentication and to maintain your logged-in state. These are functional cookies necessary for the Service to operate. We do not use third-party advertising or tracking cookies on the Service.
  • Server logs: Standard web server logs including IP address, browser type, referring page, and timestamps, collected for security and operational purposes.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing the Service: Creating accounts, processing authorization flows, facilitating access requests and asset delegation between agencies and their clients.
  • Processing payments: Handling billing, invoicing, and subscription management through our payment processor.
  • Service communications: Sending transactional emails related to your account, access requests, and onboarding links.
  • Security and fraud prevention: Monitoring for unauthorized access, verifying identities, and protecting the integrity of the Service.
  • Service improvement: Understanding how the Service is used to improve functionality, reliability, and user experience.
  • Legal compliance: Complying with applicable laws, regulations, and legal processes.

4. Payment Processing

All payment processing is handled by Stripe, a PCI-DSS Level 1 certified payment processor. When you make a purchase, your payment information is transmitted directly to Stripe over an encrypted connection. We receive only a limited set of information from Stripe (such as the last four digits of your card, card type, and billing address) for record-keeping and customer support purposes. We do not process or store full payment card numbers on our systems at any time.

5. OAuth Token Handling

When you authorize ConnectLink to interact with a third-party platform on your behalf, the platform issues an OAuth authorization token. We handle these tokens with particular care:

  • Encryption at rest: All OAuth tokens are encrypted using AES-256-GCM before being stored in our database.
  • Limited exposure: Raw tokens are processed only within our secure backend infrastructure. They are never sent to the browser, displayed in any user interface, or included in logs.
  • Scoped access: We request only the permissions necessary for the specific functionality you are using (such as listing your business assets or delegating access to an agency).
  • Revocation: You may revoke ConnectLink's access to your third-party accounts at any time through the platform's own settings or by disconnecting the integration within ConnectLink.
  • Expiration: Tokens have a limited lifespan as determined by the issuing platform. Expired tokens cannot be used and must be reauthorized.

6. Cookies and Session Management

We use a limited set of cookies solely for functional purposes:

  • Session cookies: To maintain your authenticated session while using the Service. These cookies are deleted when your session ends or expires.
  • Authentication cookies: Signed cookies (HMAC-SHA256) used to verify your identity during administrative operations.

We do not use advertising cookies, social media tracking pixels, or third-party analytics trackers on the ConnectLink application. Our marketing website at connectlink.io may use standard analytics tools, governed by their respective privacy policies.

7. Data Sharing

We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:

  • Third-party platforms (at your direction): When you initiate an OAuth authorization or asset delegation through ConnectLink, we interact with the relevant platform (such as Meta or Google) using the authorized tokens you granted. This is the core function of the Service and occurs only at your explicit request.
  • Payment processing: Stripe processes payments on our behalf and receives only the payment information necessary to complete transactions.
  • Transactional email: We use a third-party email service to deliver account-related and onboarding emails.
  • Infrastructure providers: Our hosting and database providers process data on our behalf under strict data processing obligations. These include cloud hosting (Fly.io) and managed database services.
  • Legal requirements: We may disclose information if required by law, regulation, legal process, or enforceable governmental request.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

8. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. Specifically:

  • Account data: Retained while your account is active and for a reasonable period afterward to comply with legal obligations and resolve disputes.
  • OAuth tokens: Retained while the associated platform connection is active. Tokens are deleted when you disconnect an integration or when they expire.
  • Session data: Automatically expired based on configurable timeouts (typically within 24 hours of inactivity).
  • Payment records: Retained as required by applicable tax and accounting regulations.
  • Server logs: Retained for a limited period for security and operational purposes, then automatically purged.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request correction of inaccurate or incomplete information.
  • Deletion: Request deletion of your personal information, subject to legal retention requirements.
  • Portability: Request a copy of your data in a structured, commonly used format.
  • Objection: Object to certain processing of your personal information.
  • Withdrawal of consent: Where processing is based on consent, withdraw that consent at any time.

To exercise any of these rights, contact us at support@xlabs-solutions.com. We will respond to your request within 30 days.

For users who connected a Meta account: Meta may also submit a data deletion request on your behalf through our automated data deletion callback. When we receive such a request, we delete all associated personal data and provide Meta with a confirmation code.

10. Security

We implement industry-standard security measures to protect your information, including:

  • Encryption of data in transit (TLS/HTTPS) and at rest (AES-256-GCM for credentials)
  • Signed, HMAC-verified authentication cookies
  • HMAC-SHA256 signature verification for platform callbacks
  • Timing-safe comparison functions to prevent timing attacks
  • Secrets stored in environment variables and encrypted configuration, never in source code
  • Access to production systems limited to authorized personnel

While we strive to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

11. International Transfers

ConnectLink is operated from the United States. If you access the Service from outside the United States, your information may be transferred to and processed in the United States or other jurisdictions where our infrastructure providers operate. By using the Service, you consent to the transfer of your information to the United States and other jurisdictions that may have data protection laws different from those in your country of residence.

12. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at support@xlabs-solutions.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through a notice on the Service. The "Last updated" date at the top of this page indicates when the policy was most recently revised. Your continued use of the Service after any changes constitutes acceptance of the updated policy.

14. Contact

xLabs Solutions LLC
Miami, FL
Email: support@xlabs-solutions.com