Privacy regulations affect what data deep linking platforms can collect, how they process it, and what consent mechanisms you need. A platform that relies on device fingerprinting for attribution requires different consent handling than one that uses deterministic methods only. This comparison evaluates privacy compliance across deep linking platforms.
For GDPR-specific guidance, see attribution and GDPR. For privacy-compliant analytics, see privacy-compliant analytics.
Data Collection Comparison
What Each Platform Collects
| Data Point | Tolinku | Branch | AppsFlyer | Adjust | Bitly |
|---|---|---|---|---|---|
| Link click (URL, timestamp) | Yes | Yes | Yes | Yes | Yes |
| IP address | Yes (for geo) | Yes | Yes | Yes | Yes |
| User-Agent string | Yes | Yes | Yes | Yes | Yes |
| Device model | Via User-Agent | Yes (detailed) | Yes (detailed) | Yes (detailed) | Via User-Agent |
| OS version | Via User-Agent | Yes | Yes | Yes | Via User-Agent |
| Advertising ID (IDFA/GAID) | No | Optional | Yes (with consent) | Yes (with consent) | No |
| Device fingerprint | No | Yes | Yes | Yes | No |
| Screen resolution | No | Yes | Yes | Yes | No |
| Language/locale | No | Yes | Yes | Yes | No |
| Installed apps | No | No | No | No | No |
| Referrer URL | Yes | Yes | Yes | Yes | Yes |
Key difference: MMP platforms collect significantly more data because they need it for probabilistic attribution matching. Tolinku collects only what is needed for link resolution and basic analytics.
GDPR Compliance
The General Data Protection Regulation (GDPR) applies to any platform processing data of EU residents.
Data Processing Roles
| Platform | Typical Role | DPA Available | Data Residency |
|---|---|---|---|
| Tolinku | Data processor | Yes | Configurable |
| Branch | Data processor / controller | Yes | US, EU |
| AppsFlyer | Data processor | Yes | US, EU, India |
| Adjust | Data processor | Yes | US, EU |
| Kochava | Data processor | Yes | US, EU |
All major platforms offer Data Processing Agreements (DPAs). The distinction between "processor" and "controller" matters: if the platform acts as a data controller for some data, it can use that data for its own purposes.
Consent Requirements
| Scenario | Tolinku | MMP Platforms |
|---|---|---|
| Basic link resolution | Legitimate interest (no consent needed) | Depends on data collected |
| Click analytics (aggregate) | Legitimate interest | Depends on data collected |
| Device fingerprinting | Not applicable (not used) | Requires consent |
| Advertising ID tracking | Not applicable (not used) | Requires explicit consent |
| Cross-app attribution | Not applicable | Requires explicit consent |
Tolinku's approach simplifies GDPR compliance because it does not collect data that requires explicit consent. MMP platforms that use fingerprinting or advertising IDs must implement consent management.
Apple App Tracking Transparency (ATT)
ATT requires iOS apps to request permission before tracking users across apps and websites.
| Platform | ATT Required? | Behavior Without ATT Consent |
|---|---|---|
| Tolinku | No | Full functionality |
| Branch | Depends on configuration | Reduced attribution accuracy |
| AppsFlyer | Yes (for full attribution) | Falls back to SKAdNetwork |
| Adjust | Yes (for full attribution) | Falls back to probabilistic |
| Kochava | Yes (for full attribution) | Falls back to SKAdNetwork |
ATT consent rates are approximately 25-30%. This means 70-75% of iOS users deny tracking, significantly reducing MMP attribution accuracy. Tolinku does not require ATT consent because it does not track users across apps.
CCPA / CPRA Compliance
The California Consumer Privacy Act and its amendment (CPRA) give California residents rights over their personal data.
| Requirement | Tolinku | MMP Platforms |
|---|---|---|
| Data deletion requests | Supported | Supported |
| "Do Not Sell" opt-out | Not applicable (no data selling) | Must implement |
| Data inventory | Minimal data points | Extensive data inventory |
| Privacy policy disclosure | Required | Required |
The "Do Not Sell" requirement is relevant for platforms that share data with ad networks for attribution purposes. Tolinku does not share data with third parties.
Privacy Manifests (iOS)
Starting with iOS 17, Apple requires apps to declare their use of tracking APIs in privacy manifest files. SDKs must include their own privacy manifests.
| SDK | Privacy Manifest Included | Declared APIs |
|---|---|---|
| Tolinku | Yes | Network access only |
| Branch | Yes | Network, device info, user defaults |
| AppsFlyer | Yes | Network, device info, advertising ID, user defaults |
| Adjust | Yes | Network, device info, advertising ID, user defaults |
More declared APIs means more scrutiny during Apple's App Review process and more questions from privacy-conscious users.
Privacy Sandbox (Android)
Google's Privacy Sandbox for Android is replacing advertising ID-based tracking with privacy-preserving APIs.
| API | Purpose | Tolinku Impact | MMP Impact |
|---|---|---|---|
| Topics API | Interest-based advertising | None | Affects audience targeting |
| Attribution Reporting API | Privacy-preserving attribution | None | Replaces GAID-based attribution |
| Protected Audiences | Remarketing | None | Affects retargeting campaigns |
Tolinku is unaffected by Privacy Sandbox changes because it does not use advertising IDs or cross-app tracking. MMP platforms must adapt their attribution methods.
Privacy-First Deep Linking
A privacy-first deep linking platform:
- Collects minimal data. Only what is needed for link resolution and basic analytics.
- Does not fingerprint. No probabilistic matching using device characteristics.
- Does not use advertising IDs. No IDFA or GAID collection.
- Does not share data with third parties. Your link data stays within your account.
- Supports data deletion. Users can request deletion of their data.
- Works without consent prompts. Core functionality does not require ATT or cookie consent.
Compliance Checklist
Before choosing a platform, verify:
- Does the platform provide a DPA (Data Processing Agreement)?
- What data does the SDK collect? Is it documented?
- Does the SDK include a privacy manifest (iOS)?
- Does the platform support data deletion requests?
- Where is data stored? Does it meet your data residency requirements?
- Does the platform act as a data processor or data controller?
- Does core functionality require user consent (ATT, cookies)?
- Does the platform share data with third-party ad networks?
Tolinku Privacy
Tolinku is designed as a privacy-first deep linking platform. It does not use device fingerprinting, does not collect advertising IDs, and does not share data with ad networks. Core deep linking functionality works without requiring ATT consent or cookie banners. This simplifies your compliance posture.
For GDPR guidance, see attribution and GDPR. For the full platform comparison, see deep linking platform comparison.
Get deep linking tips in your inbox
One email per week. No spam.