This privacy policy explains how zbrah.io collects, uses, and protects your personal data in compliance with the EU General Data Protection Regulation (GDPR) and Danish data protection law.
What Data We Collect
Account Data
When you create an account:
- Email address
- Password (encrypted, never stored in plain text)
- OAuth provider information (if using Google sign-in)
- Account creation date
- Language and locale preferences
Link Data
When you create short links:
- Destination URLs
- Short codes you create
- Custom domains you add (if applicable)
- Optional titles and metadata you provide
- Link creation and update timestamps
Analytics Data
When someone clicks your short links, we collect privacy-focused analytics:
- Timestamp of click
- Browser type and version
- Operating system
- Device type (mobile, desktop, tablet)
- Country and city (derived from IP address)
- Referring website (if any)
- Hashed IP address (SHA-256, irreversible)
Important: Analytics data is collected automatically when short links are visited. IP addresses are immediately hashed using SHA-256 and only converted into broad city-level location data, making the resulting analytics non-identifiable while still allowing us to count unique visitors.
Payment Data
Payment processing is handled by Stripe. We store:
- Stripe customer ID
- Subscription status and tier
- Subscription start and end dates
- Currency preference
We do not store credit card numbers or payment details. Stripe handles all payment information according to PCI-DSS standards.
Technical Data
We automatically collect:
- Browser locale and time zone
- Theme preferences (light/dark mode)
- Service usage patterns for performance optimization
Legal Basis for Processing
We process your data based on:
- Contractual necessity: To provide the link shortening service you signed up for
- Legitimate interests: To improve service performance, prevent abuse, and provide analytics features
- Consent: For optional features like marketing communications (if you opt in)
- Legal obligations: To comply with tax, accounting, and regulatory requirements
How We Use Your Data
We use your data to:
- Provide and maintain the link shortening service
- Authenticate you and manage your account
- Process payments and manage subscriptions
- Provide analytics on link performance
- Send transactional emails (account verification, password resets, billing notifications)
- Detect and prevent abuse, fraud, or security issues
- Improve service performance and user experience
- Comply with legal obligations
Data Sharing
We share your data only with trusted service providers necessary to operate the service:
- Convex: Database and backend infrastructure (US)
- Vercel: Hosting and edge functions (US/EU)
- Stripe: Payment processing (US/EU)
- Resend: Transactional email delivery (US/EU)
- Upstash: Caching infrastructure (optional, US/EU)
All service providers are GDPR-compliant and process data under appropriate safeguards including Standard Contractual Clauses (SCCs) where data is transferred outside the EU.
We never sell your data to third parties or use it for advertising.
Data Retention
We retain your data as follows:
- Account data: Until you delete your account, plus 30 days for backup recovery
- Link and analytics data: Until you delete links or your account
- Payment records: As required by tax and accounting regulations (typically 5 years)
- Authentication logs: 90 days for security purposes
After deletion, data may persist in backups for up to 30 days before permanent removal.
Your Rights
Under GDPR, you have the following rights:
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate data
- Erasure: Delete your account and associated data
- Portability: Export your data in a structured format
- Restriction: Limit how we process your data
- Objection: Object to processing based on legitimate interests
- Withdraw consent: For processing based on consent
To exercise these rights, use the options in your account settings or contact us through support channels. Account deletion is available directly in the account settings.
You also have the right to lodge a complaint with your local data protection authority (Datatilsynet in Denmark).
Cookies and Tracking
We use essential cookies to maintain your session and preferences. We do not use third-party tracking cookies or advertising trackers.
- Authentication cookies: Keep you logged in
- Preference cookies: Remember your theme and locale settings
These cookies are necessary for the service to function and do not require consent under GDPR.
Data Security
We implement appropriate technical and organizational measures to protect your data:
- Encryption in transit (TLS/HTTPS) and at rest
- Password hashing using industry-standard algorithms
- IP address hashing before storage (SHA-256)
- Access controls and authentication
- Regular security updates and monitoring
- Automated backups with encryption
While we take security seriously, no system is completely secure. You are responsible for keeping your account credentials confidential.
International Data Transfers
Your data may be processed in countries outside the EU/EEA, particularly the United States where some of our service providers operate. All such transfers are protected by:
- Standard Contractual Clauses (SCCs) approved by the EU Commission
- Service providers' commitments to GDPR compliance
- Appropriate technical and organizational safeguards
Children's Privacy
Our service is not intended for children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us immediately.
Changes to This Policy
We may update this privacy policy to reflect changes in our practices or legal requirements. Material changes will be announced via email or service notification. Continued use after changes constitutes acceptance.
Data Controller
zbrah.io is operated from Denmark and is responsible for your personal data. You can contact the controller directly via email at privacy@zbrah.io
Contact
For privacy questions, data requests, or to exercise your rights, please contact us.
For data protection matters, you can also contact the Danish Data Protection Agency (Datatilsynet) at datatilsynet.dk.