Skip to content
Tolinku
Tolinku
Sign In Start Free
Comparisons · · 4 min read

Privacy Compliance Comparison for Deep Linking Platforms

By Tolinku Staff
|
Tolinku migration guides dashboard screenshot for comparisons blog posts

Privacy regulations affect what data deep linking platforms can collect, how they process it, and what consent mechanisms you need. A platform that relies on device fingerprinting for attribution requires different consent handling than one that uses deterministic methods only. This comparison evaluates privacy compliance across deep linking platforms.

For GDPR-specific guidance, see attribution and GDPR. For privacy-compliant analytics, see privacy-compliant analytics.

Data Collection Comparison

What Each Platform Collects

Data Point Tolinku Branch AppsFlyer Adjust Bitly
Link click (URL, timestamp) Yes Yes Yes Yes Yes
IP address Yes (for geo) Yes Yes Yes Yes
User-Agent string Yes Yes Yes Yes Yes
Device model Via User-Agent Yes (detailed) Yes (detailed) Yes (detailed) Via User-Agent
OS version Via User-Agent Yes Yes Yes Via User-Agent
Advertising ID (IDFA/GAID) No Optional Yes (with consent) Yes (with consent) No
Device fingerprint No Yes Yes Yes No
Screen resolution No Yes Yes Yes No
Language/locale No Yes Yes Yes No
Installed apps No No No No No
Referrer URL Yes Yes Yes Yes Yes

Key difference: MMP platforms collect significantly more data because they need it for probabilistic attribution matching. Tolinku collects only what is needed for link resolution and basic analytics.

GDPR Compliance

The General Data Protection Regulation (GDPR) applies to any platform processing data of EU residents.

Data Processing Roles

Platform Typical Role DPA Available Data Residency
Tolinku Data processor Yes Configurable
Branch Data processor / controller Yes US, EU
AppsFlyer Data processor Yes US, EU, India
Adjust Data processor Yes US, EU
Kochava Data processor Yes US, EU

All major platforms offer Data Processing Agreements (DPAs). The distinction between "processor" and "controller" matters: if the platform acts as a data controller for some data, it can use that data for its own purposes.

Scenario Tolinku MMP Platforms
Basic link resolution Legitimate interest (no consent needed) Depends on data collected
Click analytics (aggregate) Legitimate interest Depends on data collected
Device fingerprinting Not applicable (not used) Requires consent
Advertising ID tracking Not applicable (not used) Requires explicit consent
Cross-app attribution Not applicable Requires explicit consent

Tolinku's approach simplifies GDPR compliance because it does not collect data that requires explicit consent. MMP platforms that use fingerprinting or advertising IDs must implement consent management.

Apple App Tracking Transparency (ATT)

ATT requires iOS apps to request permission before tracking users across apps and websites.

Platform ATT Required? Behavior Without ATT Consent
Tolinku No Full functionality
Branch Depends on configuration Reduced attribution accuracy
AppsFlyer Yes (for full attribution) Falls back to SKAdNetwork
Adjust Yes (for full attribution) Falls back to probabilistic
Kochava Yes (for full attribution) Falls back to SKAdNetwork

ATT consent rates are approximately 25-30%. This means 70-75% of iOS users deny tracking, significantly reducing MMP attribution accuracy. Tolinku does not require ATT consent because it does not track users across apps.

CCPA / CPRA Compliance

The California Consumer Privacy Act and its amendment (CPRA) give California residents rights over their personal data.

Requirement Tolinku MMP Platforms
Data deletion requests Supported Supported
"Do Not Sell" opt-out Not applicable (no data selling) Must implement
Data inventory Minimal data points Extensive data inventory
Privacy policy disclosure Required Required

The "Do Not Sell" requirement is relevant for platforms that share data with ad networks for attribution purposes. Tolinku does not share data with third parties.

Privacy Manifests (iOS)

Starting with iOS 17, Apple requires apps to declare their use of tracking APIs in privacy manifest files. SDKs must include their own privacy manifests.

SDK Privacy Manifest Included Declared APIs
Tolinku Yes Network access only
Branch Yes Network, device info, user defaults
AppsFlyer Yes Network, device info, advertising ID, user defaults
Adjust Yes Network, device info, advertising ID, user defaults

More declared APIs means more scrutiny during Apple's App Review process and more questions from privacy-conscious users.

Privacy Sandbox (Android)

Google's Privacy Sandbox for Android is replacing advertising ID-based tracking with privacy-preserving APIs.

API Purpose Tolinku Impact MMP Impact
Topics API Interest-based advertising None Affects audience targeting
Attribution Reporting API Privacy-preserving attribution None Replaces GAID-based attribution
Protected Audiences Remarketing None Affects retargeting campaigns

Tolinku is unaffected by Privacy Sandbox changes because it does not use advertising IDs or cross-app tracking. MMP platforms must adapt their attribution methods.

Privacy-First Deep Linking

A privacy-first deep linking platform:

  1. Collects minimal data. Only what is needed for link resolution and basic analytics.
  2. Does not fingerprint. No probabilistic matching using device characteristics.
  3. Does not use advertising IDs. No IDFA or GAID collection.
  4. Does not share data with third parties. Your link data stays within your account.
  5. Supports data deletion. Users can request deletion of their data.
  6. Works without consent prompts. Core functionality does not require ATT or cookie consent.

Compliance Checklist

Before choosing a platform, verify:

  • Does the platform provide a DPA (Data Processing Agreement)?
  • What data does the SDK collect? Is it documented?
  • Does the SDK include a privacy manifest (iOS)?
  • Does the platform support data deletion requests?
  • Where is data stored? Does it meet your data residency requirements?
  • Does the platform act as a data processor or data controller?
  • Does core functionality require user consent (ATT, cookies)?
  • Does the platform share data with third-party ad networks?

Tolinku Privacy

Tolinku is designed as a privacy-first deep linking platform. It does not use device fingerprinting, does not collect advertising IDs, and does not share data with ad networks. Core deep linking functionality works without requiring ATT consent or cookie banners. This simplifies your compliance posture.

For GDPR guidance, see attribution and GDPR. For the full platform comparison, see deep linking platform comparison.

Get deep linking tips in your inbox

One email per week. No spam.

Ready to add deep linking to your app?

Set up Universal Links, App Links, deferred deep linking, and analytics in minutes. Free to start.