Transparency report

What we publish, what we cannot hand over, and how to verify.

This page is LinkSilo's transparency report. It describes the categories of legal request we expect to receive, the architectural and procedural limits on what we can disclose in response, the warrant canary statement, the deletion and retention policies that bound the data set in scope, and the contact path for binding legal process. Reports are published annually after the first 12 months of public operation; this page is the structural framework for those reports plus the current pre-launch state.

Last reviewed 2026-05-11 · Reporting framework v1

Reporting period

Current state: pre-launch.

LinkSilo has not yet operated publicly. No user accounts have been registered through the production environment, no user content has been received, and no legal request of any category has been delivered to LinkSilo, its operators, or its hosting providers. All numeric counts on this page reflect that pre-launch state and are marked accordingly.

The first operational transparency report will publish twelve months after the public launch date, covering the preceding twelve months. Subsequent reports publish annually. Each annual report supersedes the previous; the past-reports archive (Section 9) retains all prior reports without modification.

Warrant canary

Dated statement, weekly update, removal is the signal.

LinkSilo publishes the following statement and updates it weekly. The continued presence of an updated statement is the affirmative signal. The absence of an updated statement is itself the signal that one or more categories below no longer hold; LinkSilo may be legally prevented from describing the change directly.

Canary statement

Last updated: 2026-05-11 · Next update due: 2026-05-18

As of the date above, LinkSilo has not received, complied with, or been subject to any of the following:

  • Any warrant under any jurisdiction's surveillance, criminal procedure, or national security legal frameworks.
  • Any national security letter, equivalent administrative compelled-disclosure instrument, or non-judicial order from any government agency.
  • Any gag order, non-disclosure obligation, or other compelled secrecy attached to a legal request received.
  • Any compelled-access, key-disclosure, or decryption-assistance order directed at LinkSilo, its operators, or its cryptographic key material.
  • Any mass-surveillance court order, bulk-access agreement, or systemic-data-access arrangement with any government or intelligence service.
  • Any voluntary cooperation request that LinkSilo has elected to respond to absent binding legal process.

This statement is reviewed and re-signed weekly by LinkSilo's named legal point of contact. If the statement is not updated by the due date listed above, treat its absence as a signal that one or more of the listed categories no longer holds and that LinkSilo may be legally prevented from describing the change directly. The signature is published alongside this statement at LinkSilo's open-source repository commit log as a tamper-evident record of each weekly attestation.

Request categories

Categories of legal request tracked for reporting.

The table below enumerates every category of legal request LinkSilo expects to encounter and the counts received in the current reporting period. Pre-launch counts are reported as zero and explicitly marked. The methodology for what counts as a single request is described in Section 8.

CategoryPeriodCumulativeNote
Warrants (search, seizure, surveillance)00Pre-launch
National security letters or equivalent00Pre-launch
Gag orders attached to a received request00Pre-launch
Compelled-access / key-disclosure orders00Pre-launch
MLAT (Mutual Legal Assistance Treaty) requests00Pre-launch
Civil litigation subpoenas and discovery orders00Pre-launch
Voluntary government cooperation responded to00Will remain 0; see Section 10

Each annual report will also break down complied-with versus challenged-and-dismissed counts within each category, with summary descriptions of the legal grounds on which each challenge was made or declined.

Disclosure limits

What we can hand over, what is architecturally unavailable.

The set of data LinkSilo could theoretically produce in response to a binding order is bounded by the architecture described on the security page. Several categories of user data are encrypted under keys LinkSilo does not hold; for those categories, the response to any binding order is a signed declaration that LinkSilo cannot produce the requested data, accompanied by an offer to deliver the ciphertext.

Account email
Stored in plaintext for transactional correspondence (login, security notifications, billing). Producible in response to a binding order targeting a specific account identifier.
Billing — Free tier
No Stripe interaction at all. silo-billing stores a tier marker on the account and nothing else; no payment data crosses to Stripe. A binding order targeting a Free-tier user's billing surface returns a signed declaration that no billing data exists.
Billing — manual top-up (any paid tier)
silo-billing stores the credit-ledger row (balance + currency + transaction log) plus the per-invoice plaintext metadata for tax reporting (date bucket, gross amount, currency, VAT amount, billing country). It does NOT store a Stripe Customer record or any persistent Stripe-side identifier for this user. The payment flow uses Stripe Checkout in mode=payment with customer=None — a load-bearing privacy invariant pinned in silo-billing/src/services/stripe_outbound.rs::create_topup_checkout. Payment and credit allocation are deliberately decoupled via a short-lived allocation code (24-hour TTL) that the user redeems explicitly after paying; the allocation code is the only intermediate connecting the payment to the account, and that connection is severed once redemption mints credit. A binding order targeting a manual top-up user's billing surface returns the credit ledger + invoice metadata; cannot produce any Stripe linkage because none is stored.
Billing — auto-top-up enabled (any paid tier; explicit opt-in)
Auto-top-up is the ONE LinkSilo flow that creates a persistent account ↔ Stripe linkage. Opting in is explicit (modal disclosure at enable time, mirroring the language on this page). When enabled, silo-billing stores stripe_customer_id + payment_method_id + threshold + refill amount + completed-top-up history on the credit-ledger row. Stripe holds the corresponding persistent Customer + saved PaymentMethod + off-session charge history. The ledger flip (auto-topup-enabled = TRUE + Stripe identifiers stored) happens server-side only after Stripe confirms saved-method capture via webhook — abandoning mid-Checkout leaves the ledger clean, no half-enabled state. A binding order targeting an auto-top-up user's billing surface returns all of the local fields above plus the Stripe linkage; LinkSilo can additionally query Stripe via API for default-payment-method metadata (brand, last four, expiry) and past invoice PDFs if requested by the order. A binding order delivered directly to Stripe under its own jurisdiction is the alternative path and is outside LinkSilo's process.
Billing — Stripe Customer email address
The email address attached to the Stripe Customer record (auto-top-up flow only) is user-typed at enable time into the LinkSilo dashboard modal — intentionally distinct from the account signup email. The user controls which address receives Stripe payment receipts. silo-id's signup email is hashed at rest and is not synced to Stripe; if the signup email changes (a future feature; not in v1), the Stripe Customer email is unaffected. To update the receipt email, the user disables and re-enables auto-top-up with the new address.
Billing — never accessible
Full card numbers, CVV / CVC values, full SEPA IBAN values, 3D Secure authentication artifacts, and Stripe-internal fraud signals are not accessible to LinkSilo under any circumstance. Card numbers are PCI-tokenized at the issuing bank; the IBAN is tokenized at Stripe; the authentication and fraud artifacts are Stripe-internal. Card-entry UI lives on checkout.stripe.com, not on any LinkSilo page — LinkSilo bundles no Stripe JavaScript and does not see card data even momentarily. The response to a binding order targeting any of these categories is a signed declaration that LinkSilo cannot produce the requested data.
Pending payment — unlinkable by design
Between Stripe's payment-success webhook and the moment the user explicitly redeems the allocation code on the LinkSilo dashboard, silo-billing's pending_payment row carries no account identifier. The account-to-payment linkage is forged only at the redemption step, where the user submits the allocation code returned at top-up start; the code is the only intermediate. The plaintext allocation code is returned ONCE at top-up time (never retrievable from the database afterward — only its HMAC-peppered hash is stored), and the pending_payment row is reconciled against the redemption when credit mints. A binding order targeting a pending payment cannot be answered with an account identifier — silo-billing does not hold that mapping for unredeemed payments.
Tip-jar Connect accounts — KYC linkable by regulation
Creators receiving tips through LinkSilo's tip jar must link a Stripe Connect Express account to receive payouts. This linkage carries regulatory KYC obligations (anti-money-laundering, tax reporting) that Stripe imposes on payout recipients; it is not a LinkSilo design choice. silo-billing stores the Connect account ID + status for tip recipients. A binding order targeting a tip-receiving creator returns this linkage. Account-level unlinkability (the manual top-up flow above) and tip-receiver linkability are independent disclosure axes — a paid-tier user on manual top-up who does NOT receive tips has zero persistent Stripe linkage; a Free-tier user who DOES receive tips has Connect-account linkage but no top-up linkage.
Page content
Page titles, link labels, link URLs, and social URLs are encrypted in the user's browser under the user's master key before submission. LinkSilo holds ciphertext only and cannot decrypt. The response to a binding order targeting page content is a signed declaration of inability to produce, plus the ciphertext if requested.
Contact submissions
Visitor messages are sealed-box encrypted to the creator's published X25519 public key. LinkSilo cannot decrypt; same response shape as page content.
Newsletter subscriber emails
Sealed-box encrypted in the subscriber's browser. LinkSilo holds ciphertext plus an HMAC-based dedup hash. The hash supports server-side deduplication but is not reversible to plaintext addresses.
Analytics counters
Aggregate page-view, link-click, country-mix, and referrer-class counts per page per UTC day. Visitor-derived dimensions are subject to k-anonymity suppression. No per-visitor or per-event data exists; LinkSilo cannot produce records that would link a specific visitor to a specific event.
IP addresses
Not retained. The analytics ingress coarsens IPs to country code + daily-rotated HMAC and discards the raw value at the process boundary. The top-up flow additionally reads the IP once at payment time for EU VAT buyer-country determination (Geo-IP combined with the browser Accept-Language header per regulatory minimum-disclosure requirements; see the architectural-ceiling block below) — only the resulting two-letter country code is persisted on the allocation_code row, never the IP itself. LinkSilo cannot produce IP records that no longer exist.
Cold-key encrypted invoices
Finnish tax law requires six-year retention of invoice records. LinkSilo retains the encrypted invoice blobs and the aggregate-friendly metadata (date bucket, amount, currency, VAT, country) needed for tax reporting. Decryption of an individual invoice body requires a Shamir-split key ceremony with auditable logs. The ceremony is itself a transparency-reportable event; any access is disclosed in the next annual report.

Architectural ceiling — what design alone cannot eliminate

LinkSilo's architecture pushes the unlinkability boundary as far as the regulatory and technical constraints allow. Some facts about a payment cannot be eliminated by design because they are intrinsic to how the payment system works. We document them here so the page is honest about the ceiling rather than overclaiming the floor.

  • Stripe's PCI scope. Card numbers necessarily flow through Stripe at payment time. Even with payment UI hosted on checkout.stripe.com (not on a LinkSilo page), Stripe is in the payment loop for every paid-tier transaction. LinkSilo cannot eliminate this by design.
  • Stripe Connect KYC for tip receivers. Payout recipients must complete Stripe's identity verification to receive funds (anti-money-laundering, tax reporting). The Connect linkage on tip-receiving accounts is regulatory; alternative cash-out channels (gift cards, cryptocurrency intermediaries) carry their own regulatory or UX tradeoffs and are deferred as separate investigations.
  • Payment processors necessarily see the payment. Stripe observes amount, currency, timestamp, and originating IP at every payment, regardless of what metadata LinkSilo sends. This is intrinsic to the role of a payment processor; design cannot eliminate it.
  • EU VAT MOSS — minimum two indicators required. EU regulation requires payment intermediaries to record at least two non-conflicting indicators of buyer country for VAT purposes. LinkSilo's implementation uses the minimum-disclosure compliance posture (Geo-IP coarsened to country code + browser Accept-Language primary preference) and persists only the resulting country code; the raw IP is not retained. This is the smallest disclosure that satisfies the regulation, not the maximum-privacy posture conceivable without it.

What LinkSilo will not do, under any request

  • No preemptive monitoring of user accounts, content, or activity in advance of a binding legal order.
  • No cryptographic backdoors, weakened key derivation, or escrow of user keys to facilitate access.
  • No "lawful intercept" wire-tap-equivalent mechanism. The architecture does not support real-time access to user content because LinkSilo does not hold the necessary keys.
  • No real-name identity verification at signup. The account email is the only required identifier. Account-level Stripe-side identity material is not retained for manual top-up users; auto-top-up opt-in does create a persistent Stripe Customer record (see the billing claim block above). Tip-receiving accounts that opt into payouts are separately subject to Stripe Connect KYC; this is regulatory, not a LinkSilo design choice (see the architectural-ceiling block above).
  • No voluntary disclosure absent binding legal process — see Section 10 for the minimum-bar standard.
Account deletion

GDPR Article 17 right to erasure, with no grace period.

When a user initiates account deletion, the deletion is immediate and unrecoverable. LinkSilo does not implement a grace period during which logging back in cancels the deletion; the user's keys are wiped at the moment of deletion confirmation, after which no procedural reversal is possible.

silo-id (identity)
Account row, all sessions, all WebAuthn credentials, all email-verification rows, all password-reset rows, recovery salt. Audit log entries are anonymized rather than deleted (the audit trail's integrity is itself a transparency asset).
silo-billing
Credit-ledger row deleted (balance + transaction history + auto-top-up state). For users who had auto-top-up enabled, the linked Stripe Customer is removed at Stripe (saved PaymentMethod detached first; Customer record deleted second); the local stripe_customer_id and payment_method_id fields are cleared as part of the ledger-row cascade. Connect-account rows (for tip-receiving creators) are deleted. Encrypted invoice blobs are NOT deleted; Finnish tax law requires six-year retention. The plaintext columns retained alongside the encrypted blobs are aggregate-friendly (date bucket, amount, currency, VAT country) and do not identify the user.
linksilo (product)
All published pages, all page drafts, all received tip records, all received contact submissions, all analytics retention rows. Page slugs are tombstoned (slug string only, no PII) to enforce the never-recycle invariant; the tombstone preserves no identifying data.
Audit log retention
Account-level audit entries are anonymized at deletion: the user identifier is replaced with a pseudonymous token; the event records remain for integrity verification. The audit log itself does not contain user content, only event-type and timestamp.
Retention

What we keep, for how long, and why.

Account email
Retained for the lifetime of the account. Deleted on account deletion (see Section 6).
Session tokens
Refresh tokens valid for 14 days from last use, then automatically revoked. Access tokens valid for 15 minutes. All sessions deleted on account deletion.
Audit log entries
Retained for the lifetime of the account; anonymized rather than deleted at account deletion. Event types and timestamps; no user content.
Encrypted invoices
Six years from invoice date, per Finnish bookkeeping law (Kirjanpitolaki § 2:10). Stored as encrypted blobs under a Shamir-split cold-storage key. Aggregate metadata (date, amount, currency, VAT, country) retained alongside.
Analytics aggregates
Per-page aggregate counters retained for 90 days at hourly granularity (Free / Starter), one year at daily granularity (Pro / Premium). No per-event or per-visitor records exist beyond these aggregates.
Daily visitor-hash salt
Generated from /dev/urandom and held in the analytics-ingress process memory for the 24-hour active window. Rotated daily at 00:00 UTC; previous-day salt is discarded.
Tombstoned identifiers
Page slugs and account usernames are tombstoned forever to prevent recycling. The tombstone retains the identifier string only; no associated user data.
Methodology

What counts as a request, and how counts are derived.

Each annual report applies the following methodology to ensure the numeric counts in Section 4 are reproducible and comparable across reporting periods.

One request, one count
A single legal instrument is counted once regardless of how many user accounts it targets. A request targeting 100 accounts increments the category counter by 1 and is described in the per-category narrative.
Informal contacts excluded
Non-binding inquiries from law-enforcement personnel (e.g., "is this account known to you") are not counted in any category. LinkSilo's response to such inquiries is to require a binding legal instrument before any disclosure (see Section 10).
Challenged requests included
A request that LinkSilo challenged and the court dismissed or quashed is still counted in the received-request total, with a separate complied-with count distinguishing outcome.
Gag-restricted reporting
Where a received request carries a non-disclosure obligation that prevents per-category reporting, the report aggregates the gag-restricted requests into a single "gag-bound" line item with no per-category breakdown until the obligation lifts. The warrant canary in Section 3 is the mechanism by which a change in the gag-bound state is communicated when direct description is prohibited.
Outcome categories
For each request, the report records one of: complied-with-in-full, complied-with-narrowed-scope, challenged-and-dismissed, withdrawn-by-requester, or pending-at-report-publication. Pending requests carry over to the next reporting period.
Cold-key access events
Each invocation of the Shamir-split cold-key ceremony for encrypted invoice access is itself a separately reported event, regardless of whether the underlying request originated from legal process or internal tax-reporting need.
Past reports

Archive of previously published reports.

No annual reports have been published yet. The first report will publish twelve months after the public launch date and will cover the preceding twelve months. Each annual report is published as a stable URL under https://linksilo.io/transparency/<year> and is never modified after publication. Corrections, if necessary, publish as separate addendum documents with cross-references.

The annual reports are signed under LinkSilo's published Ed25519 transparency-report signing key. The signing key is rotated on the same cadence as the warrant canary signing key and the previous key is preserved in the open-source repository's key directory for verification of historical reports.

Lawful-process contact

Where to direct binding legal process.

Binding legal process should be directed to the address below. LinkSilo does not voluntarily respond to non-binding inquiries; receipt of a binding instrument under Finnish or Swiss jurisdiction is the minimum bar for any response.

Legal process intake

Email is monitored during Finnish business hours and acknowledged within five business days. Substantive response timeline depends on the request category and jurisdictional complexity.

Postal address (if email is not responsive):
LinkSilo Oy
Attn: Legal Process
[Finnish company-registry address — published on launch]
Helsinki, Finland
Minimum bar for response:
  • Binding legal process under Finnish jurisdiction (issued by a Finnish court, prosecutor, or competent administrative authority).
  • Binding legal process under Swiss jurisdiction (where applicable to LinkSilo's hosting infrastructure).
  • Foreign requests routed through MLAT (Mutual Legal Assistance Treaty) procedures to a Finnish or Swiss authority. Direct foreign requests will be declined with a referral to the MLAT process.
  • Civil litigation subpoenas served on LinkSilo's registered Finnish entity through proper process under Finnish civil procedure.

LinkSilo will challenge requests that are overbroad, that lack legal basis under the applicable jurisdiction, or that carry a gag obligation extending beyond what the applicable law permits. The outcome of each challenge is reported in the next annual transparency report.