Privacy Policy

Provider / Controller (GDPR):
Byteman UG (limited liability), represented by Managing Director Luca Bartmann
Platzl 1a (c/o Winter Werndl-Laue Rechtsanwälte), 80331 Munich, Germany
Email: contact@urlify.eu • Web: urlify.eu

Effective date: 25/08/2025

1) Scope & roles

This Privacy Policy explains how we, as controller, process personal data when you use our website/portals, create an account, enter into contracts, or communicate with us.
Where we process data for business customers in connection with “URLIFY” (URL shortener/redirection/analytics), we generally act as processor; the DPA available at /dpa applies. Our customers themselves are controllers for the processing they instruct (e.g., redirections/tracking on their instruction).

2) Categories of personal data & sources

  • Account and contract data: name, email, password hash, billing address, plan, terms, cancellations.
  • Payment/billing data: payment status, transaction and invoice metadata (via Stripe); no full payment details stored by us.
  • Product usage & redirect logs: accessed short/target URLs, timestamps, IP address, user agent, referrer, device/browser info, approximate geo data (derived from IP), internal IDs, API usage, error messages.
  • Communication/support data: contents of enquiries, metadata (time, channels).
  • Website/portal data: server logs, technically necessary cookies/similar technologies; optional consent‑based technologies where used.

Sources: provided directly by you (registration, usage, support), from our systems/third parties (e.g., Stripe), and automatically through use of the services (server/security logs).

3) Purposes and legal bases (Art.6 GDPR)

  • Contract & account (Art.6(1)(b)): provision/administration of your account, delivery of the SaaS service, billing.
  • Operations/security (Art.6(1)(f)): stability, troubleshooting, abuse/fraud prevention (e.g., rate limiting, DDoS protection), logging. Legitimate interest: secure and efficient provision of our service.
  • Communication/support (Art.6(1)(b),(f)): responding to enquiries, contract communications.
  • Legal obligations (Art.6(1)(c)): commercial/tax retention, information/reporting duties.
  • Consent (Art.6(1)(a) in conjunction with Sec.25 TTDSG): use of non‑essential cookies/technologies (if used); consent can be withdrawn at any time with future effect.

4) Device information, cookies & similar technologies (Sec.25 TTDSG)

We use technically necessary cookies/technologies for login sessions, security and basic settings.
Non‑essential technologies (e.g., comfort/statistics/marketing) are only activated with consent; you can change choices at any time in the consent banner (“Cookie settings”).
For link redirections/product analytics, we primarily rely on server‑side logs/events; typically, no third‑party cookies are placed on end‑user devices of clickers.

4.1 Website analytics with Google Analytics (GA4)

  • Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
  • Purpose: reach/usage analysis of our website (not of third‑party redirect target pages).
  • Legal basis: consent (Art.6(1)(a) GDPR in conjunction with Sec.25(1) TTDSG). No analytics cookies are set without consent; consent can be withdrawn at any time with future effect.
  • Data categories: pseudonymous online identifiers (e.g., client/app‑instance ID), timestamps, pages/events, referrer/UTM parameters, approximate location (derived from IP), device/browser information. IP anonymisation is enabled; IP addresses are not stored permanently in GA4.
  • Cookies (examples): _ga (2 years), _ga_<property-id> (2 years), _gid (24 hours) — actual names/durations vary by property.
  • Retention in GA4: usage/event data currently configured to 14 months (configurable per project).
  • International transfers: processing in the USA cannot be excluded; Google uses EU Standard Contractual Clauses (SCCs) and additional safeguards.
  • Data processing terms: we have concluded Google’s data processing terms; Google acts as processor.
  • Opt‑out: adjust your consent in the banner at any time; Google also offers a browser add‑on to disable Google Analytics.
  • Google settings: in your Google Account you can adjust cross‑device ads settings.

5) Recipients & service providers

We use carefully selected providers under data processing agreements. The current list is available at /subprocessors (e.g., Vercel, Neon, Tinybird, Upstash, Resend, Stripe, Google Analytics). Additional recipients where applicable: banks/payment providers, tax advisors, legal counsel, authorities (where legally required), and communications/IT‑security providers as needed.

6) International data transfers

Processing takes place primarily within the EU/EEA. Where transfers to third countries (e.g., the USA) occur, we ensure appropriate safeguards (in particular EU SCCs under Art.46 GDPR) and any necessary supplementary measures. Providers with EU locations are preferred.

7) Retention periods

  • Account/contract data: for the term of the contract; thereafter per statutory retention (generally 6 years under the German Commercial Code or 10 years under the Fiscal Code, where applicable).
  • Redirect/access logs: up to 30 days, unless longer is needed for security/error analysis.
  • Support communications: up to 24 months after the case is closed.
  • Cookies/consent records: according to lifespan/necessity; withdrawn consents are recorded.
    Where processing is no longer necessary and no retention duties apply, data are deleted or anonymised.

8) Necessity of providing data

Certain data are contractually required (e.g., email/password for the account, payment details for paid plans). Without such data, the service cannot be provided or only with limitations.

9) Your rights

Rights of access (Art.15), rectification (Art.16), erasure (Art.17), restriction (Art.18), data portability (Art.20) and to object to processing based on Art.6(1)(f) (Art.21). You may withdraw consent at any time (Art.7(3)).
To exercise your rights, email contact@urlify.eu or write to us at the postal address above.
You also have the right to lodge a complaint with a supervisory authority, e.g., the Bavarian Data Protection Authority (BayLDA) or the authority competent for your residence.

10) Security of processing (Art.32 GDPR)

We implement appropriate technical and organisational measures (TOMs), including encryption (in transit/at rest), access controls (MFA, roles, least‑privilege), logging/monitoring, DDoS/rate‑limit protection, regular backups/restore tests, secrets/key management, environment separation, and data minimisation.

11) Minors

Our service is not directed at children. Self‑registration by persons under 16 is not intended.

12) Automated decision‑making

No automated decision‑making, including profiling, within the meaning of Art.22 GDPR.

13) Changes to this notice

We update this Privacy Policy as needed. The version published at /privacy applies.