Privacy Policy

This Privacy Policy explains what data Backlink Exchange ("we", "the platform") collects, why, how long we keep it, and what rights you have over it. By creating an account you accept the terms below alongside our Terms of Service.

1. Data we collect

1.1 You give us

• Account: name, email address, password (hashed with Argon2id — we never see the plaintext), optional bio.
• Websites you list: URL, title, description, niche, language, target country, traffic range, Domain Rating / URL Rating, Ahrefs URL, sample article URL, link-attribute preferences, placement types, restricted niches, minimum partner DR, exchange notes.
• Domain verification: a one-time meta tag or DNS TXT record proving you control the domain. The token is stored only until you verify.
• Exchanges, chains, messages, reviews: everything you submit through the platform's normal interaction surfaces.
• Bookmarks and saved searches: private to you, used only to power the watchlist and email alerts you've opted into.
• Reports you file: visible only to admins, used to moderate.

1.2 We collect automatically

• Login activity: timestamp of your last login, used for the dashboard "last seen" stat.
• IP address: kept transiently for rate-limit windows (max 60 minutes for most actions). Not stored in the user record.
• Link verification probes: we visit the placement URLs you submit, using a Chrome-like user agent, to verify that backlinks are live. Each fetch logs only the target URL, status code, and detected link state.

2. Cookies

We use only essential cookies — no third-party advertising, no behavioural tracking:

• bx_sess — your authenticated session. Required for login. Cleared when you log out.
• theme — remembers your light/dark preference. Year-long expiry. No PII.
• cookie_notice — remembers that you've dismissed the cookie notice. Boolean only.
• CSRF tokens — short-lived, session-scoped, never sent to third parties.

Under GDPR Art. 5(3) these cookies are exempt from explicit consent because they are strictly necessary to deliver the service you requested. The cookie notice we show is informational, not a consent prompt.

3. Email we send

We send two kinds of email:

1. Transactional (password resets, email-address verification) — sent regardless of preference because you triggered them yourself.
2. Notifications — exchange updates, chain updates, weekly link-health digests, saved-search alerts, new conversation replies, reviews received. Each category has its own opt-out at /dashboard/notifications and a one-click unsubscribe link inside every email's footer (plus a List-Unsubscribe header for native mail-client buttons).

4. Third parties

• SMTP relay — outgoing email is sent through our own mail server at mail.backlinkexchange.org using TLS. We do not use third-party transactional-email providers (no SendGrid, Mailgun, etc.).
• Website screenshots — listing-card thumbnails are generated by a third-party screenshot service from your public URL. No account data is sent — only the URL itself.
• Google Fonts — the Inter font is loaded from fonts.googleapis.com on most pages. Google may log the IP making the font request.
• No analytics, no ads, no trackers.

5. Data retention

• Active accounts: data is kept while the account is active.
• Rate-limit windows: automatically purged once expired (15 minutes to 1 hour).
• Notifications: kept until manually marked read; oldest pruned per user over time.
• Verification tokens: deleted on use or after expiry.
• Reports: kept indefinitely as a moderation audit trail.

6. Your rights

Under the GDPR (and equivalent laws elsewhere) you have the right to:

• Access — download your data via /dashboard/export as CSV.
• Rectify — edit your name, bio, password and websites from your profile.
• Erase — delete your account at /dashboard/account/delete. We anonymise your row (replacing name/email/bio with "Deleted user" placeholders) but retain exchange + chain + message + review records because under GDPR Art. 17(3)(b)(e) other members have a legitimate interest in the history of their own backlinks and ratings.
• Restrict / object — disable any notification category at /dashboard/notifications.
• Portability — the CSV export covers the personal data you submitted; raw SQL dumps available on request.

For any of the above, write to no-reply@backlinkexchange.org.

7. Security

• Passwords hashed with Argon2id (memory cost 64 MB, time cost 4).
• HTTPS enforced on all pages; HSTS via the server config.
• CSRF tokens on every state-changing form.
• Content-Security-Policy header restricts script + style origins.
• Rate limits on login, registration, exchange requests, messaging, and reports to mitigate brute-force and spam.
• Link-verification HTTP client is hardened against SSRF (no private IPs, no redirect chains into private space).

8. Changes

If we materially change this policy we'll surface a notice on the dashboard and email account holders before the change takes effect.

9. Contact

Privacy questions: no-reply@backlinkexchange.org.