Privacy Policy.

1 · Overview

DataLink Smart Core builds local-first digital products. Our default stance is that your data stays on your device. Where sync or processing is necessary, it is end-to-end encrypted with keys only your device holds. We do not run surveillance analytics. We do not sell personal data. We do not profile users for advertising. This Privacy Policy describes, in concrete terms, what data we process, why we process it, where it lives, and how you can control it.

2 · Scope & roles

This Policy applies to all consumer products we publish under the DataLink Smart Core brand, including TrailMark, CurioVault, Inkdrop, PulseLoad, ReceiptVault, Cadence, Mindspace, LedgerLite, and any subsequent apps. It also covers our marketing website at datalinksmartcore.com and any developer or partner portal operated by us.

For these products and services, DataLink Smart Core LLC acts as the data controller. Where we engage a sub-processor (for example, Apple iCloud Drive or Google Drive for opt-in encrypted sync, or a payment processor for in-app purchases), that party acts as a data processor on our documented instructions. We do not sell, rent, or share personal data with third parties for their own purposes.

3 · What we collect

We collect the minimum data necessary to deliver the product. In practice, this falls into four categories.

3.1 · Data you create

The content you create inside our apps — your journal entries, scanned receipts, route files, vault items, habit logs, workout data — is stored on your device by default. We never see this content unless you explicitly share it with us (for example, by emailing a support request that includes a screenshot).

3.2 · Data required for the app to function

• Region / locale (for compliance adaptation — see §7)
• App version and device class (for compatibility routing)
• Purchases and subscription state (validated against the App Store / Google Play receipt server)

3.3 · Data we collect when you contact us

If you write to contact@, support@, or privacy@, we retain your message and any reply thread for up to 24 months for support continuity, after which it is permanently deleted. We do not enrich your contact data with third-party sources.

3.4 · Data we do not collect

We do not collect: persistent device identifiers for cross-app tracking, advertising IDs, location history, contact lists, photo library metadata, microphone audio, browsing history, advertising attribution events, biometric templates, social-graph data, or any "alternative" data sources purchased from data brokers. This list is enforced at the code level via a privacy lint that runs in CI on every commit.

4 · Local-first storage

All user-generated content lives in a sandboxed store on the user's device (App Sandbox on iOS, internal storage + EncryptedSharedPreferences on Android, Application Support on macOS). The storage is encrypted at rest by the platform: iOS Data Protection (Complete class when a device passcode is set), Android file-based encryption (FBE), macOS FileVault when enabled.

The user's data is never written to a server we control, except in the single case of opt-in encrypted sync described in §5. Even within the device sandbox, sensitive data is wrapped to the Secure Enclave / StrongBox / Android Keystore — meaning the encryption key never leaves the hardware even if the device is jailbroken or rooted.

5 · Sync & zero-knowledge

If you enable cross-device sync, your user-generated content is encrypted on-device using AES-256-GCM with a key derived from a passphrase only you know (or, if you opt out of passphrases, a key held inside the Secure Enclave / Keystore and synced through the platform's key escrow). The encrypted blob is then uploaded to a sync relay we operate. The relay never sees plaintext. We cannot decrypt your data, and neither can a subpoena to us; the most we can produce in response to legal process is the encrypted blob and the metadata described below.

Metadata associated with sync: relay account ID (random 128-bit value), last-sync timestamp, device count, blob size, blob content hash. This metadata is retained for as long as your account exists, plus 30 days for soft-delete propagation.

5.1 · Ad mediation disclosure

Some of our apps display advertising through mediation partners (AppLovin MAX, Google AdMob, Unity LevelPlay, Meta Audience Network, Pangle, Mintegral, InMobi, Chartboost, Vungle, Liftoff). For users in regions that require consent, the consent layer (Google UMP, Didomi, OneTrust, or IAB TCF v2.2) is presented before the first ad request. We pass only the IAB-defined consent string to the mediation stack — never additional personal data. We do not allow our mediation partners to use precise location, contact list, or SMS data for ad personalisation. Full per-app mediation configuration is published in each app's "Ad Partners" screen.

5.2 · Analytics (Confetti)

We use Confetti, an open-source privacy-preserving analytics library we maintain. Confetti replaces surveillance analytics with locally-aggregated counters that are k-anonymised (k = 25) and differentially-private (ε = 1.2) before any optional sync. Individual events are never persisted; only noise-added histograms are sent. The sync is opt-in and end-to-end encrypted.

6 · Legal basis (GDPR)

Under the General Data Protection Regulation, we rely on the following lawful bases for processing:

• Contract (Art. 6(1)(b)) — for the data required to deliver the product you installed and to validate purchases / subscription state.
• Legitimate interest (Art. 6(1)(f)) — for aggregated, anonymised, differentially-private product telemetry that helps us understand feature adoption and crash frequency. Our legitimate-interest assessment (LIA) is published in the Compliance section of this policy.
• Consent (Art. 6(1)(a)) — for cross-device sync, ad personalisation in regions where consent is required, and any optional analytics that goes beyond the strictly-functional baseline. Consent is freely withdrawable at any time without affecting the lawfulness of prior processing.
• Legal obligation (Art. 6(1)(c)) — for the minimal bookkeeping required by tax, accounting, and DSA transparency-reporting law.

7 · Regional compliance

We treat data protection as a single coherent problem across jurisdictions, and our compliance engine adapts the notice, the consent layer, the data flows, and the storage location to the user's region. The matrix below summarises the adaptations for each regime.

7.1 · GDPR (EU/EEA/UK)

For users in the European Economic Area, the United Kingdom, and Switzerland, the rights granted by GDPR Articles 15–22 apply in full: access, rectification, erasure, restriction, portability, and objection. Our EU representative is mandated under Article 27 and named in §15. Standard Contractual Clauses (SCCs, 2021/914) are used for any limited international transfer. The UK Addendum is in place for transfers from the UK.

7.2 · CPRA & VCDPA (US)

For users in California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other US states with comprehensive privacy statutes, we honour the Right to Know, Right to Delete, Right to Correct, Right to Opt Out of Sale or Sharing, Right to Limit Use of Sensitive Personal Information, and Right to Non-Discrimination. Effective 22 April 2026, the "opt out of sale or sharing" and "limit use of sensitive personal information" toggles default to ON for users in these states — you have to opt in to data monetisation, not opt out.

7.3 · LGPD (Brazil)

For users in Brazil, the rights granted by Lei Geral de Proteção de Dados (Law 13.709/2018) apply in full, including the right to confirmation, access, correction, anonymisation, portability, deletion, and information about sharing. We have a designated Brazilian representative (DPO local) named in §15.

7.4 · PIPL (China)

For users in mainland China, the Personal Information Protection Law applies. We do not offer consumer products targeted at mainland Chinese users as of 2026.06; if this changes, we will operate a separate, China-internal data infrastructure with the security assessment, standard contract, or certification required by PIPL Article 38.

7.5 · DPDP (India)

For users in India, the Digital Personal Data Protection Act, 2023 applies from 18 March 2026. We use a consent-first model, localise data residency for sensitive categories, and block data collection for children (under 18) outside the strictly-functional baseline.

7.6 · 2026 Digital Services Act

For products that host user-generated content, we comply with the Digital Services Act (Regulation 2022/2065). We implement the notice-and-action mechanism, the AI + human moderation stack, the public complaint handling process, and the quarterly transparency reporting. Our Q1, Q2, Q3, and Q4 transparency reports are published at /dsa/transparency in machine-readable JSON and human-readable PDF.

8 · Cookies & trackers

Our marketing website at datalinksmartcore.com uses no cookies and no trackers. We do not run Google Analytics, Meta Pixel, Hotjar, FullStory, Mixpanel, Segment, or any other third-party tracker. We do not serve personalised ads on our own site. If you submit the contact form, the only data persisted is what you typed.

Within our consumer apps, we similarly avoid cookies and persistent identifiers. Where a stable identifier is required for app functionality (e.g., receipt validation), it is platform-native (App Store receipt ID / Play billing client ID) and never leaves the device.

9 · Children

Our consumer products are not directed at children under 13 (COPPA) or under 16 (GDPR / DPDP, unless a lower Member-State age applies). We do not knowingly collect personal data from children. If we learn that we have inadvertently collected data from a child, we delete it within 7 days. Parents and guardians may contact privacy@datalinksmartcore.com to request deletion.

10 · Data subject rights

Regardless of your jurisdiction, you have the following rights in relation to your data. We will respond within statutory windows (typically 30 days for GDPR, 45 days for CPRA, 15 days for LGPD).

1. Right of access — request a copy of the personal data we hold about you.
2. Right of rectification — correct inaccurate or incomplete data.
3. Right of erasure — request deletion of your data ("right to be forgotten").
4. Right of restriction — limit how we process your data while a complaint is investigated.
5. Right of portability — receive your data in a structured, machine-readable format.
6. Right of objection — object to processing based on legitimate interest or for direct marketing.
7. Right to withdraw consent — at any time, without affecting prior lawful processing.
8. Right to lodge a complaint — with your local data-protection authority.

To exercise any of these rights, write to privacy@datalinksmartcore.com. We will acknowledge within 72 hours and fulfil within statutory windows. There is no fee.

11 · Security

Security is implemented at the architectural level, not as an audit-time overlay. Specific controls include: AES-256-GCM for data at rest, TLS 1.3 with certificate pinning for all network transport, Secure Enclave / StrongBox / Keystore for key material, optional hardware MFA on the developer and admin consoles, quarterly third-party penetration testing, an annual ISO/IEC 27001 surveillance audit, and a documented incident-response runbook with a 72-hour breach-notification commitment.

12 · International transfers

Because our default is local-first, the majority of user data never crosses a border. The limited transfers that do occur — opt-in sync, support correspondence, billing — use the following safeguards:

• EU/EEA/UK → US: SCCs (2021/914) Module 2, with the UK Addendum where applicable. Transfer impact assessment on file.
• EU/EEA → third countries: SCCs or, where applicable, adequacy decisions (e.g., UK, Switzerland, Japan, South Korea, Canada commercial).
• Brazil → US: Standard contractual clauses approved by the ANPD.
• India → US: Standard Contractual Clauses under DPDP §16, with data fiduciaries assessed.

13 · Retention

We retain personal data only as long as necessary to deliver the product or to comply with legal obligations. Specific retention windows:

• On-device user content: until the user deletes it or uninstalls the app.
• Opt-in sync blobs: until the user disables sync or 30 days after the last device checks in.
• Support correspondence: 24 months from last contact.
• Billing / receipt validation: 7 years (tax-law requirement).
• Aggregated, anonymised Confetti histograms: 36 months.
• DSA transparency report data: 5 years.

14 · Updates to this policy

We update this policy when we ship a material change — for example, when a new regulation becomes enforceable, when we add a new product, or when we change a data flow. The version number, effective date, and a short changelog are kept at the top of this page. Previous versions are archived at /privacy/archive for transparency.

If a change is materially adverse to you (for example, we begin processing a new category of data), we will notify you in-app and, where required, request renewed consent.

15 · Contact & DPO

For privacy inquiries, data-subject requests, or DPO correspondence, write to:

Sofia Costa, Privacy & Compliance Lead
DataLink Smart Core LLC
1 Innovation Way, Newark, DE 19711, USA
privacy@datalinksmartcore.com

EU representative (Article 27 GDPR): Vogel & Partner Rechtsanwälte mbB, Maximilianstraße 24, 80539 München, Germany, eu-rep@datalinksmartcore.com.

UK representative (Article 27 UK GDPR): Crowe U.K. LLP, 55 Ludgate Hill, London EC4M 7JW, United Kingdom, uk-rep@datalinksmartcore.com.

Brazilian representative (LGPD Art. 41): Mata Machado Advogados, Av. Afonso Pena, 4.121, Belo Horizonte, Brazil, br-rep@datalinksmartcore.com.