last updated · 2026-05-11
GDPR & data residency.
Where xlinked stores data (US East · Washington, D.C.), how EU/UK transfers are covered, and your rights as a data subject. The DPA uses Standard Contractual Clauses where required — no signature needed.
Where data lives
| data class | region | provider | retention |
|---|---|---|---|
| workspace data | us-east-1 | Neon · Washington, D.C. | until deletion |
| lender audit log | us-east-1 | Neon · Washington, D.C. | 90 days · extendable |
| auth & sessions | US | Clerk | per Clerk policy |
| transactional email | US | Resend | per Resend policy |
| payouts & KYC | eu | Wise (UK · regulated) | per Wise policy |
| request telemetry | US East | Vercel | 30 days · rolling |
Primary workspace and lender operational data is stored in the United States (US East · Washington, D.C.). For EU/UK data subjects, transfers to the US are covered by the Standard Contractual Clauses in our DPA. Payout KYC may be processed by Wise in the EU/UK under Wise's policies. If a sub-processor changes region, the legal index updates — start from /legal/privacy for the current list.
Your rights as a data subject
- Access — export of everything we hold, JSON + CSV, within 7 days.
- Rectification — edit fields in the dashboard; we do not gate corrections behind a queue.
- Erasure — one-click deletion. Purge within 30 days; audit logs within 90.
- Portability — same export, machine-readable schema in the DPA.
- Objection — opt out of assignment categories in Dashboard · Privacy.
Profiles your node sees
LinkedIn profiles delivered through your node are personal data. We process them under agreements with workspaces and with you as a lender. Routing metadata retention follows our audit log policy.
Authority & contact
Privacy and data-subject requests: privacy@xlinked.app. DPO: dpo@xlinked.app. Inquiries answered within 30 days; most within 72 hours. You may also contact your local supervisory authority where applicable.