Privacy Policy

Last updated: March 24, 2026

1. Data Controller Information

Service: Butterlink
Provided by: Peter Jakubek
Contact: contact[at]peterjakubek[dot]com
Data Protection Contact: see above

2. What Data We Collect

We collect minimal data necessary to provide our link management service:

  • Truncated IP Addresses: Only the first two segments (e.g., 192.168.x.x) for anti-abuse protection. Full IP addresses are never stored.
  • Destination URLs: The original long URLs you choose to shorten.
  • Short Link Slugs: Auto-generated 8-character codes for your short links.
  • Access Tokens: Secure 32-character tokens for viewing link statistics.
  • Click Counts: Anonymous aggregate counts of how many times your link was clicked.
  • Timestamps: Creation dates for links and rate limit tracking.
  • Link Preview Data (OG Proxy): When a social media platform, messaging app, or tool (e.g. Notion, Slack, LinkedIn) requests a link preview for a Butterlink short URL, our servers fetch and cache the Open Graph metadata (title, description, image) of the final destination URL. This data is cached for up to 24 hours in our Upstash Redis instance and is used solely to display an accurate preview to the recipient. The destination website may log our server's IP address during this fetch. No personal data of the link creator or recipient is involved in this process.

3. Why We Collect Data

  • Service Provision: To create, store, and redirect short links.
  • Anti-Abuse Protection: To prevent spam, malware distribution, and service abuse through rate limiting.
  • Statistics: To provide you with click counts for your links.
  • Security: To protect against bot attacks and ensure service reliability.

4. Legal Basis for Processing (GDPR Article 6)

We process your data based on:

  • Legitimate Interest (Art. 6(1)(f)): Anti-abuse measures and service security.
  • Contract Performance (Art. 6(1)(b)): Providing the link shortening service you requested.
  • Consent (Art. 6(1)(a)): For non-essential cookies (if accepted).

5. How Long We Keep Data

  • Truncated IP Addresses: Maximum 24 hours (auto-deleted from Redis).
  • Short Links:
    • Deleted after 90 days if they receive 0 clicks
    • Deleted after 2 years of inactivity (no new clicks)
    • Or when you manually delete them
  • Click Statistics: Stored with the link until deletion.

6. Your Rights Under GDPR

You have the following rights:

  • Right to Access (Art. 15): Request information about what data we store about your links.
  • Right to Erasure (Art. 17): Delete your short links permanently using the delete button on the stats page.
  • Right to Data Portability (Art. 20): Export your link data in JSON format.
  • Right to Object (Art. 21): Object to processing based on legitimate interest.
  • Right to Lodge a Complaint: Contact your local data protection authority if you believe we've violated GDPR.

To exercise these rights, contact us at [YOUR EMAIL] with your access token.

7. Data Sharing and Third Parties

We do not sell your data. We use the following service providers:

  • Vercel (USA): Web hosting and edge functions - Privacy Policy
  • Upstash (USA/EU): Redis caching for rate limiting and link preview cache - Privacy Policy
  • Neon (USA): PostgreSQL database hosting - Privacy Policy
  • Cloudflare (USA/EU): Turnstile bot protection - Privacy Policy
  • Clerk Inc. (USA): Authentication and account management - Privacy Policy. A Data Processing Agreement is in place.
  • Destination websites (various): When generating link previews, our server makes an outbound request to the destination URL. The destination website may log our server IP. No user personal data is transmitted to destination websites.

8. International Data Transfers

Your data may be processed in the United States and European Union. We ensure adequate protection through:

  • Standard Contractual Clauses (SCCs): EU-approved data transfer mechanisms with our US providers.
  • EU Data Residency Options: Upstash offers EU-region data storage.
  • Encryption in Transit: All data transfers use TLS 1.3+ encryption.

9. Security Measures

  • HTTPS encryption for all connections (TLS 1.3+)
  • Rate limiting to prevent abuse (10 requests/min, 100/day)
  • Cloudflare Turnstile bot protection
  • Secure access tokens (32-character random strings)
  • Regular security updates and monitoring
  • No plaintext password storage (we don't use accounts)

10. Cookies and Tracking

We use minimal cookies:

  • Essential Cookies: Cloudflare Turnstile may set temporary cookies for bot detection (only when challenged after creating 3+ links).
  • Analytics: Vercel Analytics (privacy-friendly, no personal data collected, no cookies).
  • No Tracking: We do not use tracking cookies, advertising cookies, or third-party analytics.

You can manage cookie preferences through our cookie banner.

11. Data Breach Notification

In the event of a data breach affecting your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours
  • Notify affected users if the breach poses high risk
  • Document the breach and our response

12. Children's Privacy

Butterlink is not directed at children under 16. We do not knowingly collect data from children. If you believe we have collected data from a child, contact us immediately.

13. Changes to This Policy

We may update this privacy policy to reflect changes in our practices or legal requirements. The "Last updated" date at the top indicates the most recent revision. We recommend checking this page periodically.

14. Contact Us

For privacy-related questions, data requests, or to exercise your GDPR rights:

Email: contact[at]peterjakubek[dot]com

This privacy policy is compliant with GDPR (Regulation EU 2016/679) and applicable EU member state laws.