Legal

Privacy Policy

Effective April 27, 2026

PRIMZ (“we”, “us”) provides a creator platform and mobile app that lets you publish a branded landing page, curate smart-links, and share them with your audience. This policy describes exactly what information we collect when you use PRIMZ, why we collect it, who we share it with, and the rights you have over your data.

We keep this policy short and concrete. If something here isn’t clear, email us at [email protected].

01

Information we collect

Account data

When you sign up, we store your email address and a one-way Argon2id hash of your password (we never see or store your plaintext password). If you sign in with Google, we store your Google account ID and the profile fields Google returns to us (name, email, profile picture URL) instead of a password.

Creator profile

Anything you publish to your creator page is stored in our database: username, display name, bio, theme colours, and any smart-links you create (title, destination URL, slug, campaign/UTM fields, deep-link paths, Open Graph metadata). If you upload a logo or background image, we store the file in S3-compatible object storage and keep a reference to its public URL.

Smart-link analytics

When someone visits a smart-link (e.g. primz.gg/l/your-slug), we record an anonymised click event so you can see how your links are performing. Each event contains:

  • An anonymous visitor ID (random, stored in the primz_vid cookie)
  • A truncated SHA-256 hash of the IP address — the raw IP is never stored
  • User-agent string, detected browser, OS, device type, and whether the request came from an in-app browser (Instagram, TikTok, …)
  • HTTP Referer header
  • UTM parameters present on the link (source, medium, campaign)

If a visitor later logs in, we stitch their prior anonymous events to their user account so you get accurate conversion attribution. We do not resell or syndicate this data to third parties.

Mobile app permissions

The PRIMZ iOS and Android apps request photo-library access only when you choose an image for your avatar, logo, or background. On iOS, this corresponds to the Photo Library permission described by NSPhotoLibraryUsageDescription. We use the picker only for the image you select; we do not scan, copy, or upload the rest of your library.

The apps store your session token in the platform secure store (iOS Keychain / Android Keystore) via expo-secure-store, so it is not written to unprotected disk. We do not request camera, location, contacts, or microphone access, and the mobile apps do not include third-party advertising SDKs, the IDFA, or other advertising identifiers.

02

App Store privacy labels

For App Store privacy disclosures, the data PRIMZ collects maps to these categories:

  • Contact Info — your email address.
  • User Content — your bio, avatar, logo, background image, smart-link titles, destination URLs, and related metadata.
  • Identifiers — your PRIMZ user ID and anonymous visitor ID.
  • Usage Data — product interaction data from smart-link click and conversion events.

03

How we use information

  • To create and operate your account and creator page.
  • To resolve smart-links, including the escape flow that bounces taps out of in-app browsers into your system browser so you stay signed into the destination site.
  • To show you analytics on your own dashboard (clicks, conversions, platforms, campaigns).
  • To secure the service against abuse, fraud, and automated attacks.
  • To contact you about critical account and service notices (e.g. password resets).

We do not use your information to train advertising models, and we do not sell personal data.

04

Cookies and local storage

NameLifetimePurpose
primz_vid1 yearAnonymous visitor ID for attributing smart-link clicks.
primz_session30 daysSigned-in session token. Set only after you log in.

Both cookies are HttpOnly, SameSite=Lax, and (in production) Secure. We do not set third-party advertising or tracking cookies.

05

Third parties

  • Google— if you sign in with Google, your browser communicates directly with Google to prove your identity. We receive the minimum profile data needed to create your account. Google’s handling of your data is governed by Google’s Privacy Policy.
  • S3-compatible object storage — we use Amazon S3 or Cloudflare R2 to host the images you upload. Only the images you choose to upload are stored there.
  • Hosting providers — our servers and database run on commercial cloud infrastructure. These providers act as processors under our instructions; they do not get independent access to your data.

We do not embed Facebook, TikTok, Meta, or other advertising pixels on creator pages or in the mobile app.

06

Data retention

We keep your account and profile data for as long as your account is active. Click and conversion events are retained alongside your account so historical analytics remain visible on your dashboard. If you delete your account, we remove or anonymise your personal data within 30 days, except where we are required to retain limited records for legal compliance, fraud prevention, security investigations, or safety and CSAE reports.

07

How to delete your account

You can delete your account directly from PRIMZ:

  • On the web: Dashboard → Profile → Delete account, then type “DELETE” to confirm.
  • On iOS or Android: Settings tab → Delete account, then confirm the deletion flow.

When deletion is confirmed, PRIMZ anonymises your email, username, bio, avatar, logo, background, theme, and display name; clears your password hash and Google ID; deactivates your smart-links; revokes all Redis sessions; and sets a deletion timestamp on your account. Full removal or anonymisation is completed within 30 days.

Limited records may be retained after deletion where required for legal compliance, fraud prevention, security investigations, or safety and CSAE reports.

08

Security

Passwords are hashed with Argon2id. Sessions are stored in Redis with automatic expiry. Transport is encrypted with TLS. Image uploads go directly from your device to object storage using short-lived (5-minute) presigned URLs — our servers never see the raw bytes. No system is perfectly secure; if you suspect your account has been compromised, contact us at [email protected].

09

Your rights

You can access and edit your profile at any time from the dashboard. You can also request any of the following by emailing us at [email protected]:

  • A copy of the personal data we hold about you.
  • Correction of inaccurate data.
  • Deletion of your account and associated data.
  • Restriction or objection to specific processing (where applicable under your local law, e.g. GDPR).

We respond to verified requests within 30 days.

10

Children

PRIMZ is not directed to children under 13 (or the equivalent minimum age in your jurisdiction). This 13+ minimum age also applies to the PRIMZ mobile apps for App Store age-rating consistency. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with information, contact us and we will delete it.

11

International transfers

Our infrastructure may process data in regions other than where you live. When we transfer personal data across borders, we rely on the standard safeguards provided by our cloud providers (e.g. EU Standard Contractual Clauses for transfers from the European Economic Area).

12

Changes to this policy

If we make material changes to this policy, we will update the effective date at the top of this page and, where appropriate, notify you by email. Continued use of PRIMZ after a change means you accept the updated policy.

13

Contact

Questions, requests, or complaints? Email [email protected].

← Back to home