Skip to main content
Back to home

Legal

Privacy Policy

Effective date:

SendURL ("we", "us", "our") operates the URL shortening and link analytics service at sendurl.to. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights in relation to it.

We do not store payment information. The Service is currently free and no billing data of any kind is collected or processed.

1. Data We Collect

1.1 Account data (registered users)

When you create an account, we collect:

  • Email address — used for authentication and service communications.
  • Password — stored as a hashed credential via AWS Cognito. We never store plain-text passwords.
  • Account creation timestamp and basic account metadata.

We do not collect your name, phone number, address, or any payment information.

1.2 Link data

When you create a short link, we store:

  • The destination URL you provide.
  • A generated short slug (e.g. snu.to/abc123).
  • An optional title for the link.
  • The creation timestamp.
  • Whether the link is active or inactive.

For guest links (created without an account), we additionally store an anonymous guest token — a random 32-character string — in your browser's local storage. This token is used solely to allow you to claim the link into a registered account later. It is not linked to any personal identity.

1.3 Click analytics data

Every time someone clicks one of your short links, we automatically record the following data associated with that click event:

  • IP address — used to derive approximate geographic location (country, region, city) and then discarded. We do not store raw IP addresses.
  • Country, region, and city — derived from IP geolocation.
  • Device type — e.g. Mobile, Desktop, Tablet.
  • Browser — e.g. Chrome, Safari, Firefox.
  • Operating system — e.g. iOS, Android, Windows, macOS.
  • Referrer URL — the page the visitor came from (if provided by the browser).
  • User-agent string — used to parse device/browser/OS data.
  • Timestamp of the click.

This click data is visible to the link creator in their analytics dashboard. It is not shared publicly or sold to third parties.

1.4 Usage and technical data

We use Vercel Analytics and Vercel Speed Insights on our website and console. These tools collect anonymised usage data such as page views, web vitals (LCP, FID, CLS), and referrer information. No personally identifiable information is shared with Vercel beyond what is strictly necessary for these tools to function.

Standard server logs may include IP addresses for security and debugging purposes. These are retained for a limited period and are not used for tracking.

2. How We Use Your Data

  • To operate the Service — creating and resolving short links, displaying analytics dashboards, and managing your account.
  • To authenticate you — verifying your identity when you log in via AWS Cognito.
  • To provide analytics to you — showing you click data for links you own.
  • To improve the Service — using aggregated, anonymised usage data to understand how the platform is used.
  • To ensure security — detecting abuse, spam links, and malicious activity.
  • To communicate with you — sending account-related emails such as email verification and, if introduced, service updates. We do not send marketing emails without your consent.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), our legal bases for processing your data are:

  • Contract performance — processing your account data and links to provide the Service you have requested.
  • Legitimate interests — security monitoring, fraud prevention, and service improvement using aggregated analytics.
  • Legal obligation — retaining certain records where required by law.

4. Data Sharing & Third Parties

We do not sell your personal data. We share data with third parties only as follows:

  • AWS (Amazon Web Services) — our infrastructure provider. Your account data is stored in AWS Cognito (authentication) and a PostgreSQL database hosted on AWS Lightsail. AWS processes data under its own privacy and security standards.
  • Vercel — hosting for our website and console frontends. Vercel Analytics and Speed Insights collect anonymised performance data.
  • IP Geolocation providers — we use a geolocation service to convert click IP addresses into approximate geographic data. The raw IP address is not retained after this conversion.

No other third parties receive your personal data.

5. Cookies & Local Storage

We use minimal client-side storage:

  • Authentication cookie (sendurl_token) — a JWT token set when you log in. Used to authenticate your requests to the API. It is a session-level cookie with no persistent tracking purpose.
  • Guest link local storage (sendurl_guest_link) — stores your guest link data in your browser's local storage so your link persists across page refreshes. This is never sent to our servers unless you choose to claim the link.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies beyond Vercel's anonymised performance tooling.

6. Data Retention

  • Account data — retained for the lifetime of your account. Deleted within 30 days of account deletion.
  • Link data — retained for the lifetime of your account or until you delete the link.
  • Click analytics data — retained indefinitely while your account is active, allowing you to view full historical analytics.
  • Guest link data — retained for a reasonable operational period. Unclaimed guest links may be deleted after an extended period of inactivity.
  • Server logs — retained for up to 30 days for security purposes.

7. Security

We take reasonable technical and organisational measures to protect your data, including:

  • All data in transit is encrypted via HTTPS/TLS.
  • Passwords are managed by AWS Cognito and are never stored in plain text.
  • Database access is restricted to authenticated application processes only.
  • We do not store payment information of any kind.

No system is completely secure. If you believe your account has been compromised, please contact us immediately at hi@sendurl.to.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — request correction of inaccurate data.
  • Erasure — request deletion of your account and associated data.
  • Portability — request your data in a machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Restriction — request that we limit how we process your data.

To exercise any of these rights, email us at hi@sendurl.to. We will respond within 30 days.

9. Children's Privacy

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date at the top of this page and, for registered users, send a notification to your registered email address.

11. Contact

For any privacy-related questions or requests, please contact us at hi@sendurl.to.

Terms of ServiceBack to home