Privacy Policy

Last updated at June 10, 2026

Your privacy is important. This Privacy Policy explains how we handle information when you use our URL shortening service ("Service"), in accordance with the EU General Data Protection Regulation (GDPR).

Data Controller

The operator of lur.to is the data controller for personal data processed by the Service. You can reach us through our support form .

Information We Collect

  • URLs – We encrypt and securely store the URLs you shorten.
  • IP Addresses – We anonymize IP addresses using a one-way hash before any storage, so they cannot be traced back to you. Hashed values used for rate limiting are deleted automatically within minutes.
  • Usage Data – We collect limited, non-identifiable usage data, such as visits, link clicks, general location (country or city level) and referral sources, for analytics purposes only.
  • Activity Detection – We detect minimal interactions (e.g., clicks, scrolls) solely to prevent automated abuse (bots). No tracking profiles are created, and no personal data is stored.
  • Support Requests – If you contact us through the support or report form, we collect the name, email address, and message you provide so we can respond to you.

How We Use Your Information and Legal Bases

Under the GDPR, we process data on the following legal bases:

  • To generate and manage shortened URLs securely – necessary to provide the Service you request (Art. 6(1)(b) GDPR).
  • To prevent abuse, enforce rate limits, and ensure security – our legitimate interest in keeping the Service safe and operational (Art. 6(1)(f) GDPR).
  • To monitor and improve Service performance using anonymized analytics – our legitimate interest (Art. 6(1)(f) GDPR).
  • To respond to support and report requests you submit – necessary to handle your request (Art. 6(1)(b) and 6(1)(f) GDPR).

Cookies and Local Storage

We do not use cookies and do not require a cookie consent banner. Your browser's local storage is used only for strictly functional purposes: a short-lived anti-abuse token and remembering interface preferences (such as a dismissed notice). None of this data identifies you or leaves your device for tracking purposes.

Sharing of Information

  • We do not sell or share your personal information.
  • Information may be disclosed only when required by law or to prevent abuse.

Data Security and Retention

  • URLs are stored securely using AES-256 encryption.
  • We use HMAC-SHA256, a secure cryptographic algorithm, to create unique, one-way identifiers for your links.
  • IP addresses are anonymized to protect your privacy; hashed rate-limiting records expire automatically.
  • Analytics tracking contains no personal identifiers.
  • Shortened URLs are retained until their expiration time, or as long as needed to operate the Service.
  • Support requests are retained only as long as necessary to resolve your inquiry.
  • URLs flagged as suspicious by our safety scanning are automatically blocked.

Your Rights Under the GDPR

If you are in the European Economic Area, you have the right to:

  • Access, rectify, or erase your personal data (Art. 15–17 GDPR).
  • Restrict or object to processing (Art. 18 and 21 GDPR).
  • Receive your data in a portable format (Art. 20 GDPR).
  • Lodge a complaint with your local data protection supervisory authority (Art. 77 GDPR).

Note that shortened URLs are stored without any link to the person who created them (Art. 11 GDPR). Because we cannot identify which URLs belong to you, rights that require identifying your data may not apply to shortened URLs unless you provide additional information that allows us to locate them. For support requests, where we hold your name and email, all rights above apply fully – contact us via the support form to exercise them.

International Data Transfers

Our infrastructure runs on Cloudflare's global network, so technical data may be processed outside the European Economic Area. Such transfers are safeguarded by Cloudflare's Data Processing Addendum, which incorporates the European Commission's Standard Contractual Clauses.

Third-Party Services

We use Cloudflare to provide security, performance optimization, and content delivery. When you access our Service, Cloudflare may temporarily process technical information such as your IP address and request data to detect malicious activity and improve network reliability. Cloudflare acts as our data processor under the EU General Data Protection Regulation (GDPR). For more information, see Cloudflare’s Privacy Policy .

We use Google Safe Browsing to help detect potentially unsafe links. The URL stays confidential – only a 4-byte prefix of the hashed URL is sent.

Children's Privacy

The Service is not directed at children under 16, and we do not knowingly collect personal data from them. The Service requires no account and stores no profile for any user.

Changes to this Policy

Updates may occur occasionally and will be posted on this page.

Contact

For privacy questions, use our support form .