Privacy Policy
We built xuurl with privacy at the core. This page explains what data we collect, how we use it, and the rights you have.
Last updated: September 28, 2025
1. Who we are
xuurl is a privacy-first link shortener and analytics platform. When we say “we”, “us” or “our”, we mean xuurl and its team.
2. Data we collect
We collect the minimum data needed to run xuurl effectively:
- Account data: name, email, password hash, billing info (via payment processor).
- Usage data: links, slugs, link pages, preferences.
- Analytics data: click timestamp, referrer, country/region (from IP), device/OS/browser.
- Support data: messages or attachments you send.
- Logs: server and security logs to keep the platform reliable and safe.
3. How we use data
- Provide and improve xuurl features
- Serve fast redirects and analytics
- Prevent spam and abuse
- Respond to support requests
- Process subscriptions and billing
- Comply with law
4. Legal bases (GDPR)
For users in the EEA/UK, we rely on these bases:
| Purpose | Legal basis |
|---|---|
| Accounts & core features | Contract |
| Billing & payments | Contract / Legal obligation |
| Analytics & product improvement | Legitimate interest |
| Security & abuse prevention | Legitimate interest / Legal obligation |
| Marketing emails | Consent |
5. Cookies & tracking
We use only essential and limited first‑party cookies:
| Category | Examples | Duration |
|---|---|---|
| Essential | Login sessions | Session |
| Preference | UI state (e.g., theme) | Up to 12 months |
| Analytics | Anonymous usage stats | Up to 12 months |
6. How we share data
We only share data with trusted providers (hosting, email, billing) bound by confidentiality and data protection terms. We may share if legally required or to protect safety.
7. Data retention
We keep data only as long as needed:
- Account data: while account is active + short retention
- Analytics: stored in aggregate; IPs not kept long‑term
- Support: retained for service improvement
- Logs: rolling short retention
8. Security
All traffic is encrypted (HTTPS). We enforce access controls, monitoring, and backups. No system is perfectly secure — use strong passwords and 2FA when possible.
9. Your rights
Depending on where you live, you may request to:
- Access, correct, or delete data
- Object to processing
- Export/port your data
- Withdraw consent (for marketing)
EEA/UK users can contact their supervisory authority. California users can request disclosures or deletion under CCPA/CPRA. We don’t sell personal data.
10. International transfers
Data may be processed outside your country. We apply safeguards like Standard Contractual Clauses when required.
11. Children
xuurl is not directed at children under 16. If a child provides data, contact us to have it removed.
12. Policy changes
We update this policy when practices change. Material updates will be announced in‑app or by email.
13. Contact us
Questions or requests? Reach us at:
- Email: support@xuurl.com
- Address: xuurl — Legal & Privacy, 123 Example Street, City, Country
See also: Terms of Service · Refund Policy