Privacy Policy

Last updated: 22 May 2026

Backlinks.gg (“we”, “us”, “our”) operates the Backlinks.gg backlink-research and outreach platform at https://backlinks.gg and https://app.backlinks.gg. This policy explains what data we collect, how we use it, and the limited circumstances in which we share it.

1. Account information

When you sign up, we collect your name, email address, and an encrypted password (or the OAuth identity from Google when you sign in with Google). We use this information only to authenticate you, send you operational email about your account, and bill you if you subscribe to a paid plan.

2. Connected Gmail mailboxes

Backlinks.gg lets you connect one or more Gmail accounts to send outreach email on your behalf. When you connect a Gmail mailbox we request two OAuth scopes from Google:

  • https://www.googleapis.com/auth/gmail.send — required to send outreach emails on your behalf from your connected Gmail mailbox.
  • https://www.googleapis.com/auth/userinfo.profile — required to display the connected mailbox owner’s name and avatar in the Backlinks.gg UI.

We do NOT request gmail.readonly, gmail.modify, gmail.metadata, gmail.settings, or any other scope that would let us read, modify, or list messages in your inbox. We do not have access to your inbox.

3. How we use the access we are granted

We use the gmail.send grant exclusively to send the campaign messages you have authored or scheduled inside Backlinks.gg. We use the userinfo.profile grant only to show your name and avatar in the mailbox connection UI.

Replies to messages we send on your behalf are routed via a Reply-To: header to our own inbound endpoint at inbound.backlinks.gg, processed by our inbound mail provider (Postmark), and shown to you inside Backlinks.gg. Because replies route directly to our endpoint, we never need to read your Gmail inbox to display them.

4. Google API limited use disclosure

Backlinks.gg’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In particular, we do not:

  • Allow humans to read your data unless we have your affirmative agreement for specific messages, are required to for security purposes (such as investigating abuse), or to comply with applicable law.
  • Use the data for serving ads, including retargeting, personalised, or interest-based advertising.
  • Transfer this data to third parties except as necessary to provide or improve the user-facing features of Backlinks.gg, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
  • Use the data for any purpose unrelated to the user-facing features described in this policy.

5. How we store your Google credentials

OAuth refresh tokens issued by Google to Backlinks.gg are encrypted at rest using AES-256-GCM, with the encryption key held only in our infrastructure environment (not in the database). The encrypted tokens live in our production Postgres database, hosted on Hetzner in Germany. They are decrypted only at the moment a send is performed.

If you disconnect a mailbox inside Backlinks.gg, or revoke the Backlinks.gg grant from your Google Account (myaccount.google.com/permissions), we delete the encrypted refresh token from our database within 24 hours.

6. Other data we collect

  • Outreach activity — the campaigns you author, the messages you send through Backlinks.gg, the responses you receive, and metadata such as opens and clicks. Used to operate the product and provide analytics back to you.
  • Backlink and domain research — the websites and domains you analyse inside Backlinks.gg. Used to provide the product feature and improve aggregate ranking models.
  • Operational logs — IP address, browser, and pages visited. Retained 90 days for abuse prevention and debugging.
  • Billing information — if you subscribe to a paid plan, we use Polar.sh as our payment processor. We do not store full credit-card numbers ourselves.

7. Subprocessors

  • Hetzner — primary hosting (Germany)
  • Cloudflare — CDN, DNS, DDoS protection
  • Postmark — inbound email reception
  • Polar.sh — payment processing
  • Google — Gmail send API (only when you connect a Gmail mailbox)
  • OpenAI, Anthropic, OpenRouter — large language model APIs for content generation features (we send the prompts you author; we do not send your connected Gmail data to LLM providers).

8. Data retention and deletion

  • Account data is retained for the life of your account. You can request deletion at any time by emailing the address below; we will remove all personal data within 30 days.
  • OAuth refresh tokens are deleted within 24 hours of you disconnecting a mailbox.
  • Operational logs are retained for 90 days, then deleted.
  • Outreach campaign data is retained while your account is active; you can delete individual campaigns at any time.

9. International data transfer

Our infrastructure is in Germany. If you are accessing Backlinks.gg from outside the EU, your data may be transferred to and processed in the EU.

10. Your rights

You have the right to access, correct, export, or delete the personal data we hold about you. To exercise any of these rights, email us at the address below.

11. Contact

Questions about this policy? Email [email protected].

We may update this policy from time to time. Material changes will be announced inside the Backlinks.gg app at least 14 days before they take effect.