Privacy policy

urliz is a URL shortening service. We try to keep what we collect to the minimum we need to run the product, keep it secure, and give you useful analytics on the links you create. This policy explains the full picture so you can make informed choices.

If you only read one section, read this one: we store the short links you make, basic metadata about the clicks they receive (country, city, referrer, user agent), and the email or sign-in identifier you used to register. We do not sell your personal information. We do not show third-party advertising on the redirect.

In this policy, "urliz", "we", "us" and "our" refer to the operator of urliz.io. urliz is run as an independent project. You can reach us by email at any time using the addresses in the Contact section below.

For data-protection purposes, the operator of urliz.io acts as the data controller of the information described in this policy. If you create short links on a custom branded domain that you control, you may be the controller of the resulting click data and we act as a processor on your behalf.

Account information. When you sign up, we receive your email address and a hashed password (or, if you sign in with a third-party provider, the identifier and email that provider returns to us). We also store your chosen language and theme preferences.

Links you create. The destination URL, the short code, any custom slug, expiry rules, click limits, password (stored as a PBKDF2 hash, never in clear text), and the time the link was created.

Click events. When someone follows one of your short links, we record the time of the click, the approximate country and city derived from the visitor IP at the edge, the referring URL if the browser sent one, and the user agent string. We do not store the raw IP address of click visitors in our database.

Custom domains. If you connect a branded short domain, we store the hostname, verification status, and timestamps from the DNS verification process.

Technical logs. Our hosting and edge providers automatically log requests for operational and security purposes (for example to mitigate abuse). These logs include IP addresses and are retained by those providers for limited periods.

Cookies and similar storage. We use a small number of first-party cookies and browser storage entries, listed in the Cookies section below.

We use the information we collect to:

• Provide the service: shorten links, redirect visitors, show analytics, and manage your account.
• Keep accounts secure: detect abuse, rate-limit suspicious activity, support multi-factor authentication.
• Communicate with you about service-critical events such as security alerts, policy changes, or account recovery.
• Improve the product through aggregated, non-identifying usage trends.
• Comply with legal obligations and respond to valid legal process.

We do not use your personal information to train machine-learning models, and we do not sell it.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR / UK GDPR:

• Contract. We process your account data and the links you create to perform our agreement to provide the service.
• Legitimate interests. We process click metadata, security logs, and aggregated analytics in our legitimate interest in operating, securing and improving urliz, balanced against your rights.
• Consent. Where required by law (for example, non-essential cookies), we ask for your consent and you can withdraw it at any time.
• Legal obligation. We process information when we are required to comply with applicable law or valid legal process.

We share information only with the categories of recipients below, and only to the extent necessary:

• Infrastructure providers. Our hosting platform, database provider, edge cache and email provider process data on our behalf under data-processing terms.
• Authentication and MFA providers. Sign-in flows and time-based one-time-password verification rely on provider services.
• Safe-browsing services. Destination URLs may be checked against threat-intelligence services to protect visitors from phishing and malware.
• Analytics within your own account. Click analytics are visible to the account owner of the link and to anyone they share their dashboard with.
• Legal and safety. We may disclose information when we believe in good faith that disclosure is necessary to comply with the law, protect our rights, or protect the safety of users or the public.
• Business transfers. If urliz is acquired, merged or transferred, your information may be transferred as part of that transaction, subject to this policy.

We do not sell or rent your personal information to advertisers or data brokers.

urliz uses cookies and browser storage that fall into three categories:

• Strictly necessary. Authentication tokens, CSRF protection, language preference, and the cookie-consent record itself. These are required for the site to work and are set without consent.
• Analytics. First-party measurement of how the product is used, only set if you accept analytics in the cookie banner.
• Marketing. Reserved for future use; only set if you accept marketing in the cookie banner.

You can change your cookie preferences at any time using the "Cookie preferences" link in the footer. Your browser also lets you block or delete cookies through its settings, but some site features will stop working without strictly-necessary cookies.

urliz is operated using infrastructure that may process data in regions different from the one you live in, including the United States. Where data is transferred out of the EEA, the UK or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, equivalent UK data transfer mechanisms, or the data importer's certification under a recognised cross-border framework.

We keep account information for as long as your account is active. When you delete your account, we delete or anonymise your account information within 30 days, except where we must retain limited data to comply with legal obligations, resolve disputes or enforce our agreements.

Click events are retained as long as the related link exists. Aggregated, non-identifying analytics may be retained indefinitely.

Edge and hosting logs are retained for short, provider-defined periods (typically 7 to 30 days) and used solely for security and operational diagnostics.

If you are in the EEA, the UK or Switzerland, you have the following rights under data-protection law:

• Access: request a copy of the personal information we hold about you.
• Rectification: ask us to correct inaccurate or incomplete information.
• Erasure: ask us to delete your information, subject to legal exceptions.
• Restriction: ask us to limit how we process your information in certain cases.
• Portability: receive a structured, machine-readable copy of information you provided to us.
• Objection: object to processing based on legitimate interests.
• Withdraw consent: where processing is based on consent, withdraw it at any time.
• Complain: lodge a complaint with your local data-protection authority.

To exercise any of these rights, write to privacy@urliz.io. We may ask you to verify your identity before acting on a request.

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you the following rights:

• Know. Request the categories and specific pieces of personal information we have collected about you, the sources we collected it from, the purposes for which we collected it, and the categories of third parties we share it with.
• Delete. Request deletion of personal information we collected from you, subject to legal exceptions.
• Correct. Request that inaccurate personal information be corrected.
• Limit. Limit our use and disclosure of sensitive personal information to purposes specified by the CPRA.
• Opt out of sale or sharing. We do not sell or share personal information as those terms are defined under the CCPA. If that ever changes, this section will be updated and a clear opt-out will be provided.
• Non-discrimination. We will not discriminate against you for exercising your privacy rights.

To exercise these rights, contact privacy@urliz.io. You may designate an authorised agent to act on your behalf, in which case we will request reasonable verification of the agent's authority.

urliz is not directed at children under 13 (or under 16 in the EEA), and we do not knowingly collect personal information from them. If you believe a child has provided us with personal information, contact privacy@urliz.io and we will delete it.

We protect your information using industry-standard practices: TLS in transit, encryption at rest in our managed databases, hashed passwords (PBKDF2-HMAC-SHA-256, 600,000 iterations), optional two-factor authentication, scoped service-role keys, and per-IP rate limits on sensitive endpoints. No system is perfectly secure, and we cannot guarantee absolute security, but we work to reduce risk continuously.

urliz redirects to destination URLs that you and other users have set. We do not control those destination sites and we are not responsible for their content, privacy practices, or security. Use good judgement before clicking a short link from a source you do not trust.

We may update this privacy policy from time to time. When we do, we will update the effective date at the top of the page. If the changes are material, we will provide a more prominent notice (such as an in-product banner or an email) before they take effect.

For privacy questions, requests under GDPR or CCPA, or any other data-protection topic:

Email: privacy@urliz.io. Legal notices: legal@urliz.io.