Privacy Policy

1. Information We Collect

We collect the minimum information necessary to provide and improve the Service. The data we collect depends on how you interact with shorten.dev:

(a) Account information (registered users)

When you sign in via an OAuth provider (GitHub or Google), we receive and store your name, email address, and profile picture as provided by that provider. We do not receive or store your password.

(b) Link data (registered users)

When you create a shortened link, we store the slug, destination URL, tags, creation timestamp, and the association to your account.

(c) Click analytics (link visitors)

When any person clicks a shortened link, we collect: timestamp of the click, country (derived from IP geolocation), referrer URL, browser type, and device type. IP addresses are hashed before storage (see Section 4).

(d) Technical and log data

We automatically collect request timestamps, API access logs, and rate limit counters for security, abuse prevention, and operational purposes.

2. Legal Basis for Processing

We process your personal data on the following legal bases under applicable data protection law (including the EU General Data Protection Regulation):

• Contractual necessity: Processing your account data and link data is necessary to provide the Service as described in our Terms of Service.
• Legitimate interest: Processing click analytics, technical logs, and rate limit data is necessary for our legitimate interests in providing analytics features, preventing abuse, maintaining security, and improving the Service. These interests are balanced against your rights and do not override them.
• Consent: Where required by applicable law, we obtain your consent before processing. You may withdraw consent at any time by contacting us.
• Legal obligation: We may process your data when required to comply with applicable law, regulation, or valid legal process.

3. How We Use Your Information

We use the collected information to:

• Provide, maintain, and operate the Service
• Authenticate your identity and manage your account
• Generate link analytics and usage statistics for you
• Detect and prevent abuse, spam, and malicious activity
• Enforce rate limits and fair use policies
• Respond to support inquiries and legal requests
• Improve the Service and develop new features
• Comply with applicable laws, regulations, and legal processes

We do not use your personal data for advertising, profiling, automated decision-making, or selling to third parties.

4. IP Address Handling

All IP addresses are irreversibly hashed using SHA-256 before storage. We never store raw IP addresses in our database. Hashed IPs are used solely for analytics aggregation (e.g., counting unique visitors) and abuse detection. They cannot be reversed to identify individual users. Raw click event data, including the hashed IP, is automatically purged within 24 hours.

5. Data Sharing

We do not sell, rent, trade, or otherwise commercially share your personal information with third parties. We may share data only in the following limited circumstances:

• Service providers: We use third-party services to operate the Service, including Supabase (authentication and database hosting), Cloudflare (CDN and redirect infrastructure), and OAuth providers (GitHub, Google) for authentication. These providers process data on our behalf and are bound by their own privacy policies and contractual obligations.
• Legal requirements: When required by law, regulation, subpoena, court order, or valid legal process, or when we believe in good faith that disclosure is necessary to protect the rights, safety, or property of shorten.dev, our users, or the public.
• Business transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your data may be transferred to the successor entity, subject to the same privacy protections described in this Policy.
• Aggregated or anonymized data: We may share aggregated, de-identified, or anonymized data that cannot reasonably be used to identify you, for purposes such as research or public statistics.

6. International Data Transfers

The Service is operated from the United States of America. Your data may be processed and stored in the United States and other countries where our service providers operate. If you are located outside the United States, you acknowledge and consent to the transfer, processing, and storage of your data in the United States and other jurisdictions that may have different data protection laws than your country of residence.

For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on appropriate legal mechanisms, including standard contractual clauses, to ensure adequate protection of your data in compliance with applicable data protection law.

7. Data Retention

We retain data according to the following schedule:

• Account data: Retained for the duration of your account. Deleted within 30 days of account deletion request.
• Link data: Links are permanent and survive account deletion. Shortened links continue redirecting even after account deletion (the link is disassociated from the deleted account). This prevents previously shared links from breaking.
• Analytics data: Aggregated analytics (hourly stats) are retained for as long as the associated link exists.
• Raw click events: Automatically purged within 24 hours via scheduled database cleanup.
• API access logs: Retained for up to 90 days for security and abuse prevention, then automatically deleted.

8. Cookies & Local Storage

We use only essential and functional storage mechanisms. We do not use third-party tracking cookies, advertising pixels, or cross-site tracking technologies of any kind.

• Session cookies (essential): Used to maintain your authenticated session. These are strictly necessary for the Service to function and cannot be disabled.
• Theme preference (functional): Your light/dark mode preference is stored in browser local storage to persist your UI settings across visits.

Because we only use essential and functional cookies (no tracking or advertising), a cookie consent banner is not required under most applicable privacy regulations.

9. Third-Party Services

We use the following third-party services to operate shorten.dev. Each has its own privacy policy governing how it handles your data:

• Supabase — Authentication and database hosting
• Cloudflare — CDN, DNS, and redirect infrastructure
• GitHub — OAuth authentication provider
• Google — OAuth authentication provider

We only receive the profile information you explicitly authorize during the OAuth authentication process. We encourage you to review the privacy policies of these providers.

10. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

General rights

• Access the personal data we hold about you
• Request correction of inaccurate or incomplete data
• Request deletion of your account and associated data
• Export your data in a machine-readable format
• Withdraw consent for data processing at any time

Additional rights for EU/EEA residents (GDPR)

• Right to restrict processing of your personal data
• Right to data portability
• Right to object to processing based on legitimate interest
• Right to lodge a complaint with your local data protection supervisory authority

Additional rights for California residents (CCPA/CPRA)

• Right to know what personal information is collected, used, and shared
• Right to delete your personal information
• Right to opt out of the sale or sharing of personal information — we do not sell or share your personal information for cross-context behavioral advertising
• Right to non-discrimination for exercising your rights

To exercise any of these rights, contact us at privacy@shorten.dev. We will respond to verified requests within 30 days (or the timeframe required by applicable law). We may need to verify your identity before fulfilling your request.

11. Do Not Track

Some web browsers transmit a "Do Not Track" (DNT) signal. There is currently no industry standard for how online services should respond to DNT signals. We do not currently respond to DNT signals. However, we do not engage in cross-site tracking, do not serve targeted advertisements, and do not share your browsing data with third-party advertisers.

12. Security

We implement industry-standard security measures to protect your data, including encryption in transit (TLS/HTTPS), hashed IP storage (SHA-256), secure API key management (hashed keys, prefix-only display), and row-level security in our database. All authentication is handled through established OAuth providers.

However, no method of electronic transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. In the event of a data breach that affects your personal information, we will notify affected users and relevant authorities as required by applicable law.

13. Children's Privacy

The Service is not intended for or directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you are between 13 and the age of majority in your jurisdiction, you may only use the Service with the consent and supervision of your parent or legal guardian.

If we become aware that we have collected personal information from a child under 13, we will take steps to promptly delete that information. If you believe a child under 13 has provided personal information to us, please contact us at privacy@shorten.dev.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page. Your continued use of the Service after any modification constitutes your acceptance of the updated Policy. We encourage you to review this page periodically.

15. Contact

For privacy-related inquiries, data access requests, or concerns about how your data is handled, contact us at privacy@shorten.dev.

For general legal inquiries, contact us at legal@shorten.dev.