Privacy Policy

Creators (registered accounts):

• Email address and name (via Clerk authentication)
• OAuth provider ID (Google, Discord, etc.)
• Links created, wait-time settings, payout wallet addresses
• Earnings and payout history

Visitors (non-registered):

• Anonymous session identifier (signed HttpOnly cookie, never linked to an identity)
• IP address hash (one-way, non-reversible) for fraud detection — the raw IP is not stored
• User-agent string (browser and device type only, not fingerprinting)
• Referrer URL (the page that linked to the ulock.io short URL)
• Country code derived from IP at request time

We do not collect names, email addresses, or any personally identifiable information from unregistered visitors.

• To operate the service and enforce wait timers
• To detect and prevent fraudulent traffic
• To calculate Creator earnings attributable to each link
• To provide Creators with aggregated analytics (country, device, traffic source)
• To process Creator payouts
• To send transactional emails to Creators (payout confirmations, account alerts)

We do not sell, rent, or share personal data with advertisers or third-party data brokers.

Destination URLs submitted by Creators are stored in encrypted form (AES-256-GCM). They are decrypted only at redirect time, server-side, and are never exposed to the visitor's browser. ulock.io does not transmit visitor data to destination servers.

• ulock_session — Signed HttpOnly session cookie. Stores an anonymous session ID and timer start time. Expires on browser close or timer completion. No cross-site tracking.
• ulock_premium — Set after confirmed Premium subscription. HttpOnly. Contains no personal data.
• ulock_ref — Set when a visitor arrives via a referral link. 30-day expiry. Contains only the referral code.
• Clerk cookies — Set by Clerk when a Creator logs in. See Clerk's Privacy Policy.

We do not use advertising, analytics tracking, or third-party tracking cookies.

• Clerk — Creator authentication. Stores Creator email and OAuth tokens.
• Whop — Premium subscription billing and management. We receive only a transaction ID, amount, and Whop user ID — no raw payment data.
• Neon — PostgreSQL hosting, US-East region.
• Upstash — Redis for session state and rate limiting. No personal data stored permanently.
• Resend — Transactional email for Creators only.
• Sentry — Error monitoring. Error payloads are scrubbed of cookies and authorization headers.

• Creator account data: retained until deletion is requested
• Analytics events: retained for 24 months
• Payout records: retained for 7 years for accounting compliance
• Visitor session cookies: session-scoped, deleted after timer completion

If you are a Creator, you may request access to, correction of, or deletion of your data by emailing privacy@ulock.io. We will respond within 30 days. Payout records may be subject to legal retention requirements that limit deletion.

Unregistered visitors have no account-linked data — we collect no PII from them — so there is no personal data to access or delete.

Destination URLs are encrypted at rest (AES-256-GCM). Session cookies use HMAC-SHA256 signing. All traffic is served over HTTPS with modern TLS. We maintain audit logs of administrative actions and perform routine security reviews.

We may update this policy periodically. Material changes will be communicated via the Creator dashboard. Continued use after the effective date constitutes acceptance.

Privacy questions: privacy@ulock.io