Privacy Policy
Last Updated: January 21, 2026
At shorter.sh, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our URL shortening service.
1. Information We Collect
1.1 Automatically Collected Information
When you use our service, we automatically collect certain information, including:
- IP Address: Your IP address is collected for analytics and abuse prevention purposes
- Click Data: When someone clicks a shortened URL, we record the timestamp and increment the click counter
- Browser Information: User agent, browser type, and device information
- Referrer Information: The webpage that referred you to our service
- Timestamp: Date and time of URL creation and clicks
1.2 Information You Provide
- URLs: The original long URLs you submit for shortening
- Local Storage Data: We store your URL history locally in your browser (not on our servers) for your convenience
1.3 Administrator Accounts
For administrative access, we collect:
- Email Address: Used for account authentication
- Password: Stored as a secure bcrypt hash (never in plain text)
- Session Tokens: For maintaining authenticated sessions
2. How We Use Your Information
We use the collected information for the following purposes:
- Service Provision: To create, store, and redirect shortened URLs
- Analytics: To provide click statistics and usage analytics
- Abuse Prevention: To detect and prevent spam, phishing, malware distribution, and other malicious activities
- Service Improvement: To understand usage patterns and improve our service
- Legal Compliance: To comply with applicable laws and regulations
- Security: To protect against unauthorized access and maintain service security
3. Data Storage and Retention
Each data category has a defined retention window enforced by an automated cleanup process running every six hours. These defaults are admin-configurable; the values below reflect production defaults.
| Data Category | Retention | Notes |
|---|---|---|
| Shortened URLs | Until deleted | Removed when you delete your account or admin moderation action. |
| Click analytics (per-click rows) | 90 days | Aggregate counters on each URL persist indefinitely. |
| Sessions | 24 hours | Auto-expire; cleanup deletes expired rows. |
| Web Risk validation log | 90 days | Records URL safety scans; used for operational diagnostics. |
| Abuse reports (resolved/dismissed) | 730 days | Pending reports retained until acted upon. |
| Appeals (approved/rejected) | 730 days | Pending appeals retained until acted upon. |
| Admin audit log | 7 years | SOC2-friendly default; configurable by administrators. |
| Admin login attempts | 1 day | Anti-bruteforce counters; no personally identifiable information stored. |
| Server logs (Cloudflare) | Per Cloudflare policy | Access logs are managed by Cloudflare per their retention policies. |
| Local browser storage | Browser-managed | URL history is stored locally in your browser, not on our servers. Clear via browser settings or the "Clear all" button. |
Right to Deletion
Registered users can self-delete their account from the Dashboard under "Delete account". This permanently removes your URLs, API keys, and sessions and replaces your email with a tombstone so the address can be re-registered. For accounts without self-service access (anonymous URLs), contact us at privacy@shorter.sh.
4. GDPR Compliance and Your Rights
If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):
- Right to Access: Request access to your personal data
- Right to Rectification: Request correction of inaccurate data
- Right to Erasure: Request deletion of your data ("right to be forgotten")
- Right to Restriction: Request restriction of processing your data
- Right to Data Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to processing of your personal data
- Right to Withdraw Consent: Withdraw consent at any time where we rely on consent
To exercise these rights, please contact us at the information provided below.
5. Cookies and Tracking Technologies
We use the following technologies:
- Local Storage: To store your URL shortening history locally in your browser (optional, can be disabled)
- Session Cookies: To maintain authenticated admin sessions (essential for service functionality)
- CSRF Tokens: To protect against cross-site request forgery attacks
You can control cookie preferences through your browser settings. Note that disabling certain cookies may limit service functionality.
6. Data Sharing and Third Parties
We do not sell, trade, or rent your personal information to third parties. We may share data only in the following circumstances:
- Service Providers: With Cloudflare (our hosting provider) as necessary to provide the service
- Legal Obligations: When required by law, court order, or government request
- Protection of Rights: To protect our rights, property, or safety, or that of our users or the public
- Abuse Prevention: To investigate and prevent fraudulent, unauthorized, or illegal activity
7. Data Security
We implement industry-standard security measures to protect your data:
- Encryption: All data is transmitted over HTTPS/TLS
- Password Security: Passwords are hashed using bcrypt with salt
- CSRF Protection: Cross-site request forgery tokens on all state-changing operations
- Security Headers: HTTP security headers including HSTS, X-Frame-Options, CSP
- Input Validation: All user inputs are validated and sanitized
However, no method of transmission over the Internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
8. International Data Transfers
Your data may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place for such transfers in compliance with applicable data protection laws.
9. Children's Privacy
Our service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.
10. Do Not Track
We do not track users across third-party websites. However, our service does collect click analytics for shortened URLs as described in this policy.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by updating the "Last Updated" date. Continued use of the service after changes constitutes acceptance of the updated policy.
12. Contact Information
If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us through the appropriate channel:
- Privacy Inquiries: privacy@shorter.sh
- GDPR/Data Rights Requests: privacy@shorter.sh (include "GDPR Request" in subject line)
- General Inquiries: hello@shorter.sh
- Abuse Reports: https://shorter.sh/abuse or abuse@shorter.sh
- Legal Inquiries: legal@shorter.sh
We aim to respond to all privacy-related inquiries within 30 days as required by GDPR. For urgent security matters, we prioritize responses within 48 hours.
13. Data Protection Officer
For data protection inquiries, you may contact our Data Protection team at privacy@shorter.sh. We are committed to resolving privacy concerns in accordance with applicable data protection laws, including GDPR, CCPA, and other regional privacy regulations.
14. Legal Basis for Processing (GDPR)
We process personal data under the following legal bases:
- Legitimate Interest: To provide and improve our URL shortening service
- Contract Performance: To fulfill our service obligations to users
- Legal Obligation: To comply with applicable laws and regulations
- Consent: Where explicitly provided for optional features