Privacy Policy
Last updated: 31 May 2026
This policy explains how De Mul Ltd ("we", "us", "our") collects and uses personal data when you use Doclinky (the "Service"), and your rights under the UK GDPR and the Data Protection Act 2018. Doclinky lets people share Google Drive documents as read-only, link-based data rooms.
1. Who we are (data controller)
De Mul Ltd is the controller for personal data described in this policy.
- Company: De Mul Ltd, a company registered in England & Wales (company number 09632103).
- Registered office: 11 Holyoake Avenue, Woking, England, GU21 4PW.
- Contact for privacy matters: privacy@doclinky.com.
2. Who this applies to
Account owners sign in with Google to create links. Visitors open a shared link to view documents. For data about visitors, the account owner who created the link is generally the controller deciding why the documents are shared; we process that data to provide the Service and act as a controller for our own operational purposes (security, analytics we surface, and notifications). Owners are responsible for having a lawful basis to invite their own visitors.
3. What we collect, why, and our lawful basis
| Data | Purpose | Lawful basis |
|---|---|---|
| Account owner: Google account email & name | Create and authenticate your account | Contract (Art. 6(1)(b)) |
| Account owner: encrypted Google OAuth token (read-only Drive) | Read the files/folders you choose to share | Contract (Art. 6(1)(b)) |
| Visitor: email address entered at a link's gate | Grant access and attribute views to the link owner | Legitimate interests (Art. 6(1)(f)) — letting owners know who accessed their documents |
| Visitor: IP address, browser user-agent | Security, abuse prevention, and basic visit records | Legitimate interests (Art. 6(1)(f)) |
| Visitor: per-page view time (analytics) | Show the link owner engagement on their documents | Legitimate interests (Art. 6(1)(f)) |
| Strictly necessary cookies (session/login) | Keep you signed in / hold a visitor session | Necessary for a service you request (no consent required) |
| Product analytics (planned) | Understand and improve how the app is used | Consent (Art. 6(1)(a)) — via a cookie banner, once enabled |
Where we rely on legitimate interests, we have weighed those interests against your rights; you can object at any time (see section 8).
4. How we use Google Workspace data
We request the drive.readonly scope solely to display the
documents you choose to share. We render pages server-side as images; the
source files are not modified, copied elsewhere, or shared beyond the links
you create.
Doclinky's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. We do not use Google user data for advertising, do not sell it, and do not use it to train AI/ML models.
5. Recipients & processors
We do not sell personal data. We share it only with service providers who process it on our instructions:
- Hosting — Hetzner (servers located in the EU), running our application and database.
- Email — Scaleway (Transactional Email, servers in France/EU), to send visit-summary notifications to link owners.
- Google — as the source of the documents you share and the identity you sign in with.
6. International transfers
Our hosting and email processors store data within the EU. Google (sign-in and the documents you share) may process data outside the UK, including in the United States. Where data leaves the UK, we rely on appropriate safeguards such as the UK International Data Transfer Agreement / Addendum to EU Standard Contractual Clauses, or an adequacy decision.
7. Retention
We keep account data while your account is active. Visit records (visitor email, IP, view analytics) are retained for as long as the associated link exists; deleting a link removes its visit records. You can ask us to delete your account and associated data at any time. Backups are rotated and overwritten in the ordinary course.
8. Your rights
Under UK GDPR you have the right to: access your data; have it corrected; have it erased; restrict or object to processing; data portability; and to withdraw consent where processing is based on consent. To exercise any of these, contact privacy@doclinky.com. Account owners can also revoke Doclinky's access at any time in their Google account permissions, which immediately stops all future Drive access.
You also have the right to lodge a complaint with the UK supervisory authority, the Information Commissioner's Office (ICO): ico.org.uk.
9. Cookies
We use strictly necessary cookies to keep owners signed in and to hold a visitor's session on a link; these do not require consent. We intend to add privacy-friendly product analytics; any non-essential cookies will only be set after you give consent through a cookie banner, and you will be able to withdraw it at any time.
10. Security
OAuth tokens and link passwords are encrypted at rest, traffic is served over HTTPS, and access is rate-limited. No system is perfectly secure, but we take appropriate technical and organisational measures to protect your data.
11. Changes
We may update this policy from time to time. Material changes will be reflected by the "last updated" date above.