Privacy Policy
Last updated: 2026-06-29
DRAFT — template for review. Not legal advice; have counsel review before publishing.
1. Introduction, Scope, and Effective Date
This Privacy Policy explains how Libertas Link ("Libertas Link," "we," "our," or "us") collects, uses, discloses, and protects personal information. It is effective and was last updated on 2026-06-29. This Policy applies to our marketing website and to the Libertas Linkapplication, an AI assistant that lets businesses upload their own documents and receive cited answers (collectively, the "Service"). Libertas Link is a United States–based service intended for small business customers.
Our dual role. Depending on the data at issue, we act in two capacities:
- As a controller / business. For information we collect directly from website visitors and from the individuals who create and administer Libertas Linkaccounts (for example, contact and account details, billing data, and usage information), we determine the purposes and means of processing and act as the "controller" (GDPR-style terminology) or "business" (CCPA/CPRA terminology).
- As a processor / service provider.For the documents, links, project context, and related materials that a business customer uploads to its workspace ("Customer Content"), the business customer is the controller and we act solely as its "processor" or "service provider," processing that content only on the customer's documented instructions. Our handling of Customer Content is governed by our customer agreement and Data Processing Agreement (DPA), described in Section 14.
By accessing or using the Service, you acknowledge this Privacy Policy. If you do not agree, please do not use the Service.
2. Categories of Personal Information We Collect and Sources
In our role as a controller/business, we collect the following categories of personal information (using the categories enumerated under the California Consumer Privacy Act, as amended by the CPRA). We collect this information directly from you, automatically from your device and use of the Service, and from our service providers (such as our payment processor and authentication provider).
- Identifiers. Name, email address, account username, business/organization name, and online identifiers such as IP address. Source: you, automatically.
- Customer records / commercial information. Subscription plan, billing contact, and records of purchases and transactions. Payment card details are collected and stored by our payment processor, not by us. Source: you, our payment processor.
- Internet or other electronic network activity. Log data, browser and device type, operating system, pages viewed, features used, and queries submitted to the AI assistant. Source: automatically.
- Geolocation data. Coarse location inferred from IP address (e.g., country or region). Source: automatically.
- Professional or employment-related information. Job title or role within the business, where you choose to provide it. Source: you.
- Inferences. Limited inferences drawn from the above to operate, secure, and improve the Service. Source: generated by us.
Sensitive personal information. We do not seek to collect sensitive personal information, and the Service is contractually prohibited from being used to upload protected health information (PHI) or other regulated records (see Section 8). Account credentials are handled by our authentication provider and are used only to log you in and secure your account; we do not use them to infer characteristics about you.
Customer Content. Separately, in our role as a processor, we handle Customer Content that business customers upload. Any personal information contained in Customer Content is processed on behalf of, and under the instructions of, the business customer (see Section 14).
3. Purposes for Collecting and Using Personal Information
As a controller/business, we use personal information to:
- Create and administer accounts and authenticate users;
- Provide, maintain, secure, and improve the Service, including generating cited AI responses grounded in a customer's own content;
- Process subscriptions, payments, and renewals through our payment processor;
- Respond to inquiries and provide customer support;
- Send administrative and transactional messages (for example, security alerts and service notices);
- Monitor, troubleshoot, and analyze usage to maintain reliability and improve the product;
- Detect, investigate, and prevent fraud, abuse, and security incidents; and
- Comply with legal obligations and enforce our agreements.
No training on customer data. We do not use Customer Content, AI prompts, or AI outputs to train, fine-tune, or improve foundation models, and we do not permit our AI inference provider to do so. AI inference is performed via Cloudflare Workers AI within the United States.
4. How We Share Information and Categories of Recipients
We share personal information only as needed to operate the Service and as described below. The categories of third parties that may receive personal information are:
- Cloud infrastructure and AI inference (Cloudflare). We host the Service on Cloudflare in the United States, storing data in Cloudflare D1, R2, and Vectorize, and performing AI inference via Cloudflare Workers AI.
- Payments (Stripe). We use Stripe to process subscription payments. Stripe collects and processes payment details directly under its own privacy policy.
- Authentication (Better Auth). We use Better Auth to manage sign-in, sessions, and account security.
- Legal, safety, and compliance. We may disclose information where required by law, regulation, or valid legal process, or to protect the rights, property, or safety of Libertas Link, our users, or others.
- Business transfers. In connection with a merger, acquisition, financing, or sale of assets, information may be transferred subject to this Policy.
These providers are engaged as service providers / processors under written contracts that limit their use of personal information to providing services to us. A current list of subprocessors that may process Customer Content is maintained in our Subprocessor List, which is available on request and referenced in our DPA (see Section 14).
We do not sell or share your personal information.We do not sell personal information, and we do not "share" it for cross-context behavioral advertising, in each case as those terms are defined under the CPRA and similar state laws.
5. "Do Not Sell or Share" Statement
Libertas Link does not sell personal information and does not share personal information for cross-context behavioral advertising. We have not done so in the preceding twelve (12) months. Because we do not sell or share personal information, no opt-out is required; however, you may still submit a request regarding your information at any time using the channels in Section 10. If our practices change in the future, we will update this Policy and provide a clearly labeled "Do Not Sell or Share My Personal Information" link and mechanism before any such activity begins.
6. Data Retention
We retain personal information only as long as necessary for the purposes described in this Policy. Our retention periods are:
- Account and profile data: for the life of the account, then deleted within 90 days of account closure.
- Customer Content (documents, links, context) and derived search indexes: for the life of the account; deleted from primary systems within 30 days of deletion or account closure, and purged from backups within 90 days.
- AI prompts and generated responses: retained up to 90 days for reliability, abuse prevention, and support, then deleted.
- Billing and transaction records: retained up to 7 years to meet tax, accounting, and audit obligations.
- Server and security logs: retained up to 12 months, then deleted or aggregated.
- Support correspondence: retained up to 24 months after the matter is resolved.
Where we are required to retain information longer to comply with a legal obligation or to establish, exercise, or defend legal claims, we will retain it only for that additional period.
7. Data Residency and International Handling
Libertas Linkstores and processes personal information and Customer Content exclusively in the United States, using Cloudflare's US-region infrastructure (D1, R2, and Vectorize) and Cloudflare Workers AI for inference. We do not offer non-US data residency. If you access the Service from outside the United States, you understand that your information will be transferred to and processed in the United States.
The Service is not designed for, and is contractually prohibited from receiving, protected health information (PHI) or other regulated records. Libertas Link is not a HIPAA business associate, and you must not upload PHI or similarly regulated data to the Service (see Section 8 and our Acceptable Use Policy).
8. Your Privacy Rights
Depending on your state of residence, you may have some or all of the following rights with respect to personal information we hold about you as a controller/business:
- Right to Know: the categories and specific pieces of personal information we collect, the sources, the purposes, and the categories of recipients.
- Right to Access: a copy of the personal information we hold about you.
- Right to Delete: deletion of your personal information, subject to legal exceptions.
- Right to Correct: correction of inaccurate personal information.
- Right to Opt Out of Sale or Sharing: although we do not sell or share personal information (see Section 5).
- Right to Limit Use of Sensitive Personal Information: although we do not use sensitive personal information for purposes that would trigger this right.
- Right to Non-Discrimination: we will not discriminate or retaliate against you for exercising any of these rights.
These rights are available to residents of California (CCPA/CPRA) and, to the extent applicable, to residents of other US states with comprehensive privacy laws (for example, Virginia, Colorado, Connecticut, Utah, and Texas). The specific rights and exceptions vary by state. Residents of certain states may also have the right to appeal a refusal to act on a request; appeal instructions will be provided in our response.
If your personal information appears within Customer Content uploaded by a business customer, that customer is the controller of that data. Please direct requests concerning Customer Content to the relevant business; we will support that customer in responding (see Section 14).
9. How to Exercise Your Rights; Verification and Authorized Agents
You may submit a privacy request by emailing support@libertaslink.com with the subject line "Privacy Request." Account holders may also exercise certain rights directly through account settings.
Verification. To protect your information, we will take reasonable steps to verify your identity before responding, typically by confirming control of the email address associated with your account and, where appropriate, matching other information we hold. We will not use information collected for verification for any unrelated purpose.
Authorized agents. You may use an authorized agent to submit a request. We may require the agent to provide proof of authorization (such as written permission signed by you) and may require you to verify your own identity directly with us.
Response timelines. We will acknowledge a request within 10 business days and respond within 45 days. Where permitted by law, we may extend the response period by an additional 45 days and will notify you of any extension and the reason for it. There is no fee for most requests unless they are excessive, repetitive, or manifestly unfounded.
10. Opt-Out Preference Signals and Global Privacy Control (GPC)
Some browsers and extensions can send an opt-out preference signal, such as the Global Privacy Control (GPC), indicating that you wish to opt out of the sale or sharing of your personal information. Because we do not sell or share personal information (see Section 5), there is no sale or sharing for such a signal to stop. We nonetheless aim to honor recognized opt-out preference signals where applicable law requires, and we will treat a valid GPC signal as a request to opt out of any future sale or sharing should our practices ever change.
11. Cookies and Tracking Technologies
We use a limited set of cookies and similar technologies: strictly necessary cookies for authentication and security, and preference cookies that remember your settings (such as theme). We do not use cookies for cross-context behavioral advertising. For a fuller description of the cookies we use and your choices, please see our Cookie Policy, which supplements this Privacy Policy.
12. Security and Breach Notification
We implement appropriate technical and organizational measures to protect personal information, including encryption of data in transit and at rest, role-based access controls, least-privilege access to production systems, network and audit logging, and tenant isolation in our multi-tenant architecture. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
In the event of a security incident affecting personal information, we will investigate promptly and provide notice to affected individuals and, where we act as a processor, to the relevant business customer, in accordance with applicable law and our contractual commitments, including the timelines set out in our DPA.
13. Children's Privacy
The Service is a business tool that is not directed to children. We do not knowingly collect personal information from children under 13, consistent with the Children's Online Privacy Protection Act (COPPA), and the Service is not intended for use by anyone under 18. If you believe a child has provided us personal information, please contact us at support@libertaslink.com and we will take steps to delete it.
14. Customer/End-User Data Processed on Behalf of Business Customers
When a business customer uses the Service, that customer controls the Customer Content it uploads and any personal information it contains. In this context, the business customer is the controller / business, and Libertas Linkis the processor / service provider, processing Customer Content solely to provide the Service and only on the customer's documented instructions.
Our processing of Customer Content is governed by our customer agreement and Data Processing Agreement (DPA), which addresses confidentiality, security, subprocessors, data subject requests, and data return or deletion. If you are an end user whose data appears in Customer Content, please direct privacy requests to the business that controls it; we will assist that business in fulfilling its obligations.
15. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date above and post the updated Policy on this page. For material changes, we will provide additional notice, such as by email to account administrators or an in-product notice, before the changes take effect. Your continued use of the Service after an update becomes effective constitutes acknowledgment of the revised Policy.
16. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:
Libertas Link
Email: support@libertaslink.com
US residents:to exercise a privacy right described in Sections 8–9, email support@libertaslink.com with the subject line "Privacy Request."