MicrLinkMicrLink/privacy

effective April 21, 2026

Privacy policy.

Short version: we collect the minimum needed to run a URL shortener, we don’t sell it, we don’t build advertising profiles with it, and we don’t share it with third-party trackers. This page tells you exactly what that means in practice — including your rights under GDPR, UK-GDPR, and the California Consumer Privacy Act (CCPA).

1. Who we are

MicrLink is the data controller for information collected through micrl.ink. For privacy questions, rights requests, or breach notifications, contact us via the contact link in the footer, or at privacy@[YOUR-DOMAIN].

2. What we collect

When you shorten a URL

  • The destination URL you paste and the short code we assign (auto-generated or custom).
  • The timestamp of creation.
  • Your IP address, used to enforce rate limits and detect abuse. Not displayed publicly.

When someone visits a short link

  • The short code visited and the timestamp.
  • The visitor’s IP address, as forwarded by the network edge.
  • The User-Agent string the browser sends.
  • The Referer header, if the browser sends one.
  • The redirect duration (how long our server took to resolve the redirect), used only for the site-wide average latency shown on the homepage.

When you join the waitlist

  • Your email address — stored to notify you when accounts go live.
  • An optional intent marker (e.g. “analytics,” “qr,” “premium”) — helps us prioritize launch features.

When you file an abuse report

  • The short code you’re reporting, a reason, optional email, and details.
  • Your IP address (for record-keeping; never shown publicly).

When we scan destination URLs

Before creating any short link, we send the destination URL to Google Safe Browsing and PhishTank to check against threat databases. These scans are anonymous (no account or IP attached) and are processed under Google’s and PhishTank’s terms. The URL itself is shared with those services; no other personal data is.

What we do NOT collect

  • No cookies, localStorage trackers, or analytics pixels.
  • No third-party JavaScript (Google Analytics, Meta Pixel, etc.) is embedded on this site.
  • No browser fingerprinting or session recording.
  • No precise geolocation beyond what an IP address reveals.

3. How we use what we collect

  • Provide the service: redirect short URLs to their destinations; deliver QR codes; render the homepage.
  • Prevent abuse: IP-based rate limiting on link creation; URL safety scanning; review of abuse reports.
  • Aggregate statistics: total links, total clicks, and average redirect latency displayed on the homepage. Never broken out per link publicly.
  • Notify waitlist users when accounts launch — a single email, never a marketing list.
  • Comply with legal process when required by law (see Section 9).

4. Legal basis for processing (GDPR)

If you are in the EU, UK, or otherwise subject to GDPR, our legal bases for processing are:

  • Performance of a contract (GDPR Art. 6(1)(b)) — to provide the URL redirect service you requested.
  • Legitimate interests (Art. 6(1)(f)) — abuse prevention, security, and keeping the service running reliably. Our interests are balanced against your rights; where they conflict, your rights win.
  • Legal obligation (Art. 6(1)(c)) — responding to valid legal process and complying with applicable laws.
  • Consent (Art. 6(1)(a)) — for waitlist signups, which you can withdraw at any time.

5. Retention schedule

We delete what we don’t need. Specifically:

  • Click records (IP, User-Agent, Referer): retained for 90 days for abuse detection, then deleted automatically.
  • Short URLs and their destinations: retained indefinitely while the link is active. Disabled links are kept for audit purposes. Deletion on request is available (see Section 7).
  • Waitlist emails: retained until accounts launch, you unsubscribe, or 24 months have passed without account activation — whichever comes first.
  • Abuse reports: retained for 18 months after resolution for pattern detection.
  • Rate-limit counters: automatically purged after 24 hours.
  • URL scan cache: 24 hours.

6. Who we share data with

We don’t sell your data. We use a small number of service providers (“processors”) necessary to operate the service. Each has contractual obligations to protect the data they process:

  • Supabase — our database and authentication provider. Stores short URLs, clicks, waitlist emails, and abuse reports. Data is held in the region we configured at signup.
  • Render — our application hosting provider. Handles HTTPS and server-side code execution.
  • Google Safe Browsing — receives destination URLs we scan. No other user data attached.
  • PhishTank — receives destination URLs we scan. No other user data attached.

We may also disclose data when required by law — see Section 9.

7. Your rights

All users

  • Deletion: you can request deletion of any short link you created. Send the short code and the original destination URL to our contact email; the matching check prevents random third parties from requesting takedowns of your links.
  • Waitlist unsubscribe: send your email and the word “unsubscribe” to our contact email.

EU / UK / EEA residents (GDPR)

You have the following rights under GDPR and UK-GDPR:

  • Access (Art. 15) — what data we hold about you.
  • Rectification (Art. 16) — correction of inaccurate data.
  • Erasure (Art. 17, the “right to be forgotten”).
  • Restriction of processing (Art. 18).
  • Data portability (Art. 20) — receive your data in a structured, machine-readable format.
  • Objection (Art. 21) — object to processing based on legitimate interests.
  • Withdraw consent (Art. 7(3)) at any time for consent-based processing.
  • Lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us via the email above. We will respond within 30 days.

California residents (CCPA / CPRA)

You have rights to know, delete, correct, and limit the use of your personal information, as well as the right to opt out of sale or sharing. We do not sell or share personal information in the CCPA sense. To exercise your rights, contact us via the email above.

8. Security

Data is encrypted in transit (HTTPS) and at rest. Database access is restricted to our operators and requires authentication. We limit the amount of personal data we collect so that even in a worst-case breach, exposure is minimal. We do not store passwords or payment information (once payments are introduced, they will be processed by a PCI-compliant third party; we will not handle card data directly).

If we become aware of a personal data breach that presents a risk to user rights or freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, notify affected users directly, as required by GDPR Art. 33 and 34.

9. Legal process

We comply with valid subpoenas, court orders, and search warrants consistent with applicable law. When legally permitted, we will notify the affected user before disclosing information. We publish a transparency note in Section 11 below; we will expand this into a proper transparency report once volume warrants it.

10. International transfers

Our infrastructure is hosted in the United States (Render and Supabase US regions). If you access the service from outside the U.S., your data will be transferred to and processed in the U.S. We rely on Standard Contractual Clauses and other appropriate safeguards where required for cross-border transfers from the EU/UK/EEA.

11. Transparency

As of the effective date of this policy, we have received zero government requests for user data. When we receive our first, we will start maintaining a transparency report here.

12. Changes to this policy

Material changes are announced on the homepage and the “effective” date at the top of this page is updated. Minor edits (typos, link fixes) are made silently.

13. Contact

Privacy questions, rights requests, breach notifications: reach us via the contact link in the footer, or at privacy@[YOUR-DOMAIN].

last updated April 21, 2026 · this is not legal advice