Your rights under the GDPR
If you are located in the European Union or another jurisdiction whose data protection laws give you the rights set out in the GDPR, you have the right, subject to any applicable exemptions, to:
- Request access to your Personal Information;
- Request correction or deletion of your Personal Information;
- Object to our use and processing of your Personal Information;
- Request that we limit our use and processing of your Personal Information; and
- Request portability of your Personal Information.
You can typically access, correct, or delete your information using your account settings. For other requests, please contact us. EU individuals also have the right to make a complaint to a government supervisory authority.
How we are designed for GDPR
- End-user PII is not required on the redirect path. Click events captured by the redirect tier are technical (referrer, user-agent, country) — not personal identifiers.
- Card data is tokenized. Payment is handled by Chargebee with Stripe as processor; we never see, store, or transmit raw card numbers.
- Editable destinations. If a destination must change — for compliance or any other reason — you update it once and existing short links are repointed.
- Click event export. Customers can export their click events for ingestion into their own systems and retention controls.
What we have not certified
To be precise: we have not yet pursued a third-party SOC 2 Type II audit, ISO 27001 certification, or a HIPAA BAA program. We will not claim them on this site until they are real. Our intent is to pursue formal attestation as the customer base scales and the underlying infrastructure choices already align with the controls those programs require — but until those audits are completed, we are not making claims that they have been.
Data Processing Addendum
We will enter into a standard Data Processing Addendum (DPA) with customers who require one. Email team@shorten.rest with your DPA template or a request for ours.