Privacy Policy

Last Updated: January 21, 2026

At shorter.sh, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our URL shortening service.

1. Information We Collect

1.1 Automatically Collected Information

When you use our service, we automatically collect certain information, including:

• IP Address: Your IP address is collected for analytics and abuse prevention purposes
• Click Data: When someone clicks a shortened URL, we record the timestamp and increment the click counter
• Browser Information: User agent, browser type, and device information
• Referrer Information: The webpage that referred you to our service
• Timestamp: Date and time of URL creation and clicks

1.2 Information You Provide

• URLs: The original long URLs you submit for shortening
• Local Storage Data: We store your URL history locally in your browser (not on our servers) for your convenience

1.3 Administrator Accounts

For administrative access, we collect:

• Email Address: Used for account authentication
• Password: Stored as a secure bcrypt hash (never in plain text)
• Session Tokens: For maintaining authenticated sessions

2. How We Use Your Information

We use the collected information for the following purposes:

• Service Provision: To create, store, and redirect shortened URLs
• Analytics: To provide click statistics and usage analytics
• Abuse Prevention: To detect and prevent spam, phishing, malware distribution, and other malicious activities
• Service Improvement: To understand usage patterns and improve our service
• Legal Compliance: To comply with applicable laws and regulations
• Security: To protect against unauthorized access and maintain service security

3. Data Storage and Retention

We retain your data only as long as necessary for the purposes outlined in this policy:

• URL Data: Shortened URLs and associated metadata are stored for 5 years from creation, or until deletion is requested. URLs may be deleted earlier if they violate our Terms of Service.
• Click Analytics: Click counts and timestamps are retained for 2 years for analytics purposes, then aggregated or anonymized.
• Session Data: Session tokens expire after 24 hours and are automatically deleted from our database.
• Abuse Reports: Abuse report data is retained for 5 years for legal compliance and to prevent repeat violations.
• Server Logs: Access logs containing IP addresses are retained for 90 days for security and debugging purposes.
• Local Storage: URL history is stored locally in your browser (not on our servers) and can be cleared at any time through your browser settings or the "Clear all" button.

You may request deletion of your data at any time by contacting us at privacy@shorter.sh.

4. GDPR Compliance and Your Rights

If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):

• Right to Access: Request access to your personal data
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restriction: Request restriction of processing your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing of your personal data
• Right to Withdraw Consent: Withdraw consent at any time where we rely on consent

To exercise these rights, please contact us at the information provided below.

5. Cookies and Tracking Technologies

We use the following technologies:

• Local Storage: To store your URL shortening history locally in your browser (optional, can be disabled)
• Session Cookies: To maintain authenticated admin sessions (essential for service functionality)
• CSRF Tokens: To protect against cross-site request forgery attacks

You can control cookie preferences through your browser settings. Note that disabling certain cookies may limit service functionality.

6. Data Sharing and Third Parties

We do not sell, trade, or rent your personal information to third parties. We may share data only in the following circumstances:

• Service Providers: With Cloudflare (our hosting provider) as necessary to provide the service
• Legal Obligations: When required by law, court order, or government request
• Protection of Rights: To protect our rights, property, or safety, or that of our users or the public
• Abuse Prevention: To investigate and prevent fraudulent, unauthorized, or illegal activity

7. Data Security

We implement industry-standard security measures to protect your data:

• Encryption: All data is transmitted over HTTPS/TLS
• Password Security: Passwords are hashed using bcrypt with salt
• CSRF Protection: Cross-site request forgery tokens on all state-changing operations
• Security Headers: HTTP security headers including HSTS, X-Frame-Options, CSP
• Input Validation: All user inputs are validated and sanitized

However, no method of transmission over the Internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

8. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place for such transfers in compliance with applicable data protection laws.

9. Children's Privacy

Our service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

10. Do Not Track

We do not track users across third-party websites. However, our service does collect click analytics for shortened URLs as described in this policy.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by updating the "Last Updated" date. Continued use of the service after changes constitutes acceptance of the updated policy.

12. Contact Information

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us through the appropriate channel:

• Privacy Inquiries: privacy@shorter.sh
• GDPR/Data Rights Requests: privacy@shorter.sh (include "GDPR Request" in subject line)
• General Inquiries: hello@shorter.sh
• Abuse Reports: https://shorter.sh/abuse or abuse@shorter.sh
• Legal Inquiries: legal@shorter.sh

We aim to respond to all privacy-related inquiries within 30 days as required by GDPR. For urgent security matters, we prioritize responses within 48 hours.

13. Data Protection Officer

For data protection inquiries, you may contact our Data Protection team at privacy@shorter.sh. We are committed to resolving privacy concerns in accordance with applicable data protection laws, including GDPR, CCPA, and other regional privacy regulations.

14. Legal Basis for Processing (GDPR)

We process personal data under the following legal bases:

• Legitimate Interest: To provide and improve our URL shortening service
• Contract Performance: To fulfill our service obligations to users
• Legal Obligation: To comply with applicable laws and regulations
• Consent: Where explicitly provided for optional features