Privacy Policy for blink2.link

Last updated: February 10, 2026
Version: 1.0

Introduction

Protecting your personal data is a priority for blink2.link. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, how we store and protect it, and what rights you have.

This policy applies to all users of the blink2.link website and related services (the "Service"), regardless of location.

Legal basis:

GDPR (EU General Data Protection Regulation 2016/679)
Law of Ukraine "On Personal Data Protection" (No. 8153 of June 1, 2010, as amended in 2023)
Other applicable privacy laws

Data controller:
FOP Yuriy Yelizarov
Company ID: 2234715012
City: Lviv, Ukraine

1. Data we collect

1.1. Account data (provided by you)

At registration (required):

Email address — for identification, authentication, and communication
Password — stored encrypted (bcrypt hash); we cannot read it

Optional (provided by you if you choose):

Name or organization
Country or region
Avatar (if uploaded)

Legal basis: Performance of contract (Terms of Service). Without this data we cannot provide the Service.

1.2. Service usage data

Short links and content:

Original URLs you shorten
Custom aliases
Date and time of link creation
Tags and categories for organization
Link status (active/archived)

Domain settings:

Domain names you connect
DNS records for verification
SSL certificates (generated automatically)

API usage:

API key (encrypted)
API request logs (IP, endpoint, timestamp, result)
Request counts for rate limiting

Legal basis: Performance of contract and our legitimate interests (functionality and abuse prevention).

1.3. Short link analytics

When someone clicks your short link, we collect and provide the following information:

Technical visitor data (anonymized):

IP address — anonymized (last octet removed), used only for country/city detection
User-Agent — browser, OS, device type information
Referrer — traffic source
Browser language — for geographic statistics
Date and time of visit — for time charts

Geographic data (derived from IP):

Country
City (when available)
Time zone

Important:

We do NOT collect names, emails, phone numbers, or other personal identifiers of visitors
IP addresses are anonymized in accordance with GDPR
Analytics are aggregated; we show statistics, not individual visitor data
We do not profile visitors or track them beyond the link redirect

Legal basis: Our legitimate interests (providing analytics) and performance of contract.

1.4. Payment data (processed by Paddle)

When you subscribe to a paid plan, payment data is processed by Paddle.com Market Limited (Merchant of Record):

What we receive from Paddle:

Email address (for account sync)
Cardholder name
Billing country
Subscription information (plan, price, start/end dates, status)
Paddle subscription ID
Transaction history (date, amount, payment status)

What we do NOT receive:

Full card number
CVV
Full payment details
PayPal or other wallet data

All payment data is processed and stored by Paddle in compliance with PCI DSS. See: Paddle Privacy Policy.

Legal basis: Performance of contract (subscription processing and invoicing).

1.5. Automatically collected data (website usage)

Server logs:

IP address (stored up to 90 days for security)
Browser User-Agent
Pages visited on blink2.link
Date and time of access
Referrer
Errors and technical events

Legal basis: Legitimate interests (security, abuse detection, maintenance).

1.6. Cookies and similar technologies

We use cookies to operate and improve the Service.

Strictly necessary cookies:

session_token — authentication session token (deleted on logout)
csrf_token — CSRF protection
cookie_consent — stores your cookie preferences

Functional cookies:

theme — selected theme (light/dark)
language — UI language
dashboard_layout — dashboard layout preferences

Analytics cookies:

Google Analytics — anonymized analytics (IP anonymization enabled)
First-party analytics — aggregated usage statistics

Retention:

Session cookies — until browser close
Persistent cookies — 30 days to 1 year

How to manage cookies:

In your browser settings
Via the cookie banner on first visit
In your account settings: Settings → Privacy → Cookie management

Do Not Track (DNT):
We respect browser DNT signals. If DNT is enabled:

Third-party analytics cookies (Google Analytics) are disabled
Only essential cookies remain

Legal basis: Consent (for non-essential cookies) and legitimate interests (for essential cookies).

1.7. Communication data

Support:

Email correspondence
Content of your request
Attached files or screenshots
Date and time of contact

Email communications:

Email opens (via tracking pixel)
Link clicks
Preferences for email types

Legal basis: Consent (marketing emails) and performance of contract (transactional emails).

Mandatory transactional emails include, in particular, emails during registration and workspace invitation emails sent by another user. By performing these actions, you agree to receive such emails.

2. How we use your data

2.1. Providing the Service (contract performance)

Account management: creation, authentication, password recovery
Link shortening: storing and processing URLs for short links
Redirects: enabling redirects to destination URLs
Analytics: collecting and displaying click statistics
Custom domains: DNS setup, SSL certificates, routing
API access: handling requests, rate limiting, responses

2.2. Payments (contract performance)

Subscription synchronization: activating/deactivating features per plan
Invoicing: generating invoices via Paddle
Subscription management: upgrades, cancellations, renewals
Fraud prevention: detecting suspicious payment activity

2.3. User communications

Transactional emails (cannot unsubscribe):

Registration confirmation and email verification
Payment success/failure notifications
Subscription expiry reminders (7 days)
Cancellation confirmations

Marketing emails (optional):

Product updates and news
Educational content and tips
Promotions and special offers

2.4. Security and protection

Detecting and preventing fraud, abuse, and attacks
Protecting the Service and users from unauthorized access
Monitoring suspicious activity

3. Data sharing

3.1. Service providers (sub-processors)

We use the following trusted providers:

Supabase.com (Database and authentication)

Credential storage
User authentication
Database hosting

Vercel.com (Hosting and infrastructure)

Web app hosting
Edge functions and CDN

Paddle.com (Payment processor)

Payment processing
Invoicing
Subscription management

Email service (SMTP provider)

Sending system and transactional emails

Analytics (optional)

Google Analytics (with your consent)
First-party analytics tools

All sub-processors comply with GDPR and implement appropriate security measures.

3.2. Legal disclosure

We may disclose your data:

If required by law or court order
To protect our rights and interests in legal disputes
To prevent fraud or security threats

4. Your rights

You have the right to:

Access information about your data processing
Receive a copy of your personal data
Correct inaccurate or incomplete data
Request deletion ("right to be forgotten")
Restrict processing
Object to processing for marketing purposes
Data portability
File a complaint with a data protection authority

To exercise your rights, use the in-app feedback form in your account.

5. Data retention

We retain your data:

While your account is active
For the time necessary to provide the Service
Longer if required by law (for example, financial records)

After account deletion, your data may be deleted or anonymized unless prohibited by law.

6. Data security

We implement technical and organizational measures to protect your data:

Encryption in transit (TLS/SSL)
Role-based access control
Regular backups
Security monitoring

However, no transmission or storage method is 100% secure.

7. Changes to this Privacy Policy

We may update this Policy periodically. Material changes will be communicated at least 30 days in advance.

8. Contact

Legal entity: FOP Yuriy Yelizarov, 2234715012
City: Lviv, Ukraine