Privacy Policy

Last updated: November 3, 2025

Introduction

Ziglink ("we", "our", or "us") operates ziglink.app, zigl.ink, and viaqr.io (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our Service.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Service.

Information We Collect

Account Information

When you create an account, we collect:

  • Your GitHub or Google username and profile information (via OAuth)
  • Your email address (from your GitHub or Google account)
  • Account creation date and subscription tier

Link Data

When you create and manage links, we collect:

  • Original destination URLs and short link codes
  • Routing rules you configure (geo-location, device, time-based, custom rules)
  • Link metadata (titles, descriptions, Open Graph tags)
  • QR code generation data
  • Password hashes (if you enable password protection)
  • Expiration dates and settings

Analytics Data

When someone clicks your short links, we collect minimal analytics data:

  • Click timestamp - When the link was clicked
  • Country - Derived from IP address for geo-routing (we do NOT store IP addresses)
  • Device type - Mobile, tablet, or desktop
  • Browser type - Chrome, Safari, Firefox, etc.
  • Referrer - Where the click came from (if available)
  • Rule execution data - Which routing rule matched (if any)
  • QR code flag - Whether the click came from viaqr.io (QR code) or zigl.ink (regular link)

We do NOT collect or store: Full IP addresses, precise location data, user identifiers, cookies for end users, or any personally identifiable information about people who click your links.

Payment Information

We use Stripe for payment processing. We do NOT store your credit card information. Stripe collects and processes:

  • Billing name and address
  • Payment method details
  • Transaction history

Please review Stripe's Privacy Policy for details on how they handle your payment data.

Usage Data

We automatically collect certain information when you use the Service:

  • Pages visited and features used
  • Session duration and frequency
  • Errors and performance metrics

How We Use Your Information

To Provide the Service

  • Create and manage your account
  • Generate and route short links based on your rules
  • Track analytics for your links
  • Process payments and manage subscriptions
  • Provide customer support

To Improve the Service

  • Analyze usage patterns to improve features
  • Monitor performance and fix bugs
  • Develop new features based on user needs

To Communicate with You

  • Send service-related notifications (e.g., quota warnings, billing issues)
  • Respond to your support requests
  • Send product updates and feature announcements (you can opt out)

Data Sharing and Disclosure

We Do NOT Sell Your Data

We do not sell, rent, or trade your personal information to third parties for marketing purposes. Period.

Service Providers

We share data with trusted third-party service providers who help us operate:

  • Cloudflare - Infrastructure and edge computing (hosting, DNS, CDN)
  • Stripe - Payment processing
  • GitHub & Google - Authentication (OAuth)
  • Self-hosted Umami - Product analytics (cookieless, IP-anonymised) — runs on infrastructure we control, no data shared with Umami's vendor
  • Self-hosted Bug Sink - Server- and client-side error monitoring (Sentry envelope protocol) — runs on infrastructure we control, no data shared with Bug Sink's vendor

These providers are contractually obligated to protect your data and may only use it to provide services to us.

Legal Requirements

We may disclose your information if required to do so by law or in response to:

  • Valid legal processes (subpoena, court order, search warrant)
  • Requests from law enforcement or government authorities
  • Protection of our rights, property, or safety
  • Prevention of fraud or abuse

Business Transfers

If Ziglink is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you via email and/or prominent notice on our Service before your data is transferred and becomes subject to a different privacy policy.

Data Retention

Account Data

We retain your account information for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where we're legally required to retain it.

Analytics Data

  • Active links: Analytics data is retained indefinitely while the link is active or archived.
  • Deleted links: When you permanently delete a link, all associated analytics data is deleted within 7 days.
  • Archived links: Analytics data is preserved when you archive a link. You can restore the link or permanently delete it anytime.

Backup Data

Data in backups may persist for up to 90 days after deletion but is not accessible or used except for disaster recovery.

Data Security

We implement industry-standard security measures to protect your data:

  • Encryption in transit: All data transmitted over HTTPS/TLS
  • Encryption at rest: Sensitive data (passwords, session tokens) is encrypted
  • Access controls: Limited employee access with role-based permissions
  • Regular security audits: Monitoring and vulnerability scanning
  • Edge infrastructure: DDoS protection and automatic failover

However, no method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

Your Rights and Choices

Access and Portability

You can access and download your data anytime through your dashboard. For a complete data export, contact support@ziglink.app.

Correction and Deletion

  • Update your profile information in account settings
  • Delete individual links through the dashboard
  • Delete your entire account (Settings → Delete Account)

Marketing Communications

You can opt out of marketing emails by clicking "Unsubscribe" in any marketing email. You will still receive essential service notifications (billing, security alerts).

Do Not Track

We do not track end users who click your links across other websites or services. We only collect minimal analytics for the single click event.

Cookies and Tracking Technologies

Essential Cookies

We use cookies strictly necessary for the Service to function:

  • better-auth.session_token: Session authentication token (required to stay logged in)
  • oauth_return_to: Temporary cookie during OAuth login (deleted after use)
  • link_password: Password-protected link access (if you enable password protection)

No Third-Party Tracking

We do NOT use third-party tracking cookies, ad-tech analytics, or advertising cookies. End users who click your links are NOT tracked or cookied by Ziglink.

Product Analytics (Self-hosted Umami)

We use a self-hosted instance of Umami running on infrastructure we control to understand how the dashboard is used (page views, referrers, device class). Umami is configured to be cookieless, store no personal identifiers, and anonymise IP addresses before they reach our database. We use it only on Ziglink's own pages — never on your short links — and rely on it for product improvement and capacity planning. Legal basis: legitimate interest under GDPR Art. 6(1)(f); we balance this against your rights and do not use the data for profiling or advertising.

Error Monitoring (Self-hosted Bug Sink)

We use a self-hosted instance of Bug Sink (Sentry-envelope-compatible) running on infrastructure we control to detect and diagnose application errors. When an error occurs, the report includes the error message and stack trace, the URL where it happened, your browser's user-agent string, and the route id. We do not attach session tokens, request bodies, or PII. Reports are retained no longer than 90 days. Legal basis: legitimate interest under GDPR Art. 6(1)(f) — operating a stable, secure service.

Children's Privacy

Our Service is not intended for children under 13 (or 16 in the EU). We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately at privacy@ziglink.app.

International Data Transfers

Ziglink operates globally using Cloudflare's edge network. Your data may be processed in countries outside your residence, including the United States and European Union. We ensure appropriate safeguards are in place for international transfers in compliance with GDPR and other data protection laws.

GDPR Compliance (EU Users)

If you are in the European Economic Area (EEA), you have additional rights:

  • Right to access: Request a copy of your personal data
  • Right to rectification: Correct inaccurate data
  • Right to erasure: Delete your data ("right to be forgotten")
  • Right to restriction: Limit how we use your data
  • Right to portability: Receive your data in a machine-readable format
  • Right to object: Object to processing for certain purposes
  • Right to withdraw consent: Withdraw consent at any time (doesn't affect prior processing)

To exercise these rights, contact privacy@ziglink.app. We will respond within 30 days.

California Privacy Rights (CCPA)

California residents have the right to:

  • Know what personal information we collect, use, and share
  • Request deletion of personal information
  • Opt out of sale of personal information (we don't sell data)
  • Non-discrimination for exercising your rights

Contact privacy@ziglink.app to exercise these rights.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. For material changes, we will notify you via email or prominent notice in the Service.

Continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

Contact Us

If you have questions or concerns about this Privacy Policy, contact us: