iny.me ("iny.me", "we", "us", or "our") provides link-shortening, bio-page, and QR-code services through the website at iny.me and its subdomains. This policy explains what personal data we collect when you use our service, why we collect it, and what we do with it.

For the purposes of the GDPR and similar laws, iny.me, Inc. is the data controller for the information described in this policy. We're a small team based in Brooklyn, New York, with additional infrastructure operated from EU and US regions.

We try to collect as little personal information as possible while still operating a reliable service. Here's the full picture:

We do not sell your data, rent it to data brokers, or use it to train third-party advertising models. That's not the business we're in.

We use the data above for a small, defined set of purposes — each tied to a specific legal basis under GDPR Art. 6.

• To operate the service. Resolving short links, rendering bio pages, generating QR codes, and showing you analytics for the content you own. (Contract)
• To keep the service safe. Detecting abuse, blocking malware redirects, and rate-limiting bad actors. We can't do this without click metadata. (Legitimate interest)
• To bill you. If you're on a paid plan, we use account and billing data to charge you and issue invoices. (Contract)
• To talk to you. Service emails (receipts, security alerts, breaking changes). Marketing emails only if you opt in, and you can opt back out in one click. (Consent / Legitimate interest)
• To improve the product. Aggregated, de-identified usage data — never tied to your account — informs what we ship next. (Legitimate interest)

We share data with a tightly scoped list of vendors that help us run the service. Each has signed a data-processing agreement and is limited to the data they need.

• Stripe — payments and invoicing.
• AWS (eu-west-1, us-east-1) — application hosting and database.
• Cloudflare — DNS, DDoS protection, and edge caching for redirects.
• Postmark — transactional email delivery.
• Plausible — privacy-respecting first-party analytics on our marketing site.

We will only disclose data to law enforcement when compelled by a valid legal process, and we'll push back on overly broad requests. Where the law permits, we'll notify you first.

Our marketing pages use a single first-party analytics script (Plausible) that does not set tracking cookies and does not build a profile of you across sites. We're proud of that.

Once you sign in, we set a session cookie so we can keep you logged in, plus a CSRF token so a malicious site can't forge requests on your behalf. That's it — no third-party advertising cookies, no retargeting pixels.

Your visitors

You can install your own pixels (Meta, Google Ads, LinkedIn, etc.) on the short links and bio pages you create. Those pixels run under your account on your destinations — you are the data controller for what they collect, and you're responsible for disclosing them to your audience.

Account data lives as long as your account does. When you delete your account, we purge personally identifiable data within 30 days, except where we're legally required to keep it (e.g. tax records, which we retain for 7 years).

Click metadata is aggregated into analytics buckets after 90 days, and the per-event records are deleted. Raw visitor IPs are never retained beyond 24 hours.

If you're in the EU, UK, California, or another jurisdiction with modern data-protection law, you have the right to access, correct, export, restrict the processing of, and delete the personal data we hold about you. You can also object to our use of legitimate interest as a legal basis.

Most of these rights are exposed directly inside your dashboard under Settings → Privacy: export everything as JSON, wipe specific links, or close the account entirely. For anything not covered there, write to privacy@iny.me and we'll respond within 30 days.

You also have the right to complain to your local data-protection authority — but we'd appreciate the chance to make it right first.

iny.me is not designed for, or directed to, children under 13 (or 16 in the EU). We do not knowingly collect personal data from them. If you believe a child has signed up, contact privacy@iny.me and we'll close the account and delete the data.

We process data in the United States and the European Union. When we transfer data out of the EEA or UK, we rely on the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable) to provide an adequate level of protection.

We may update this policy from time to time — usually to clarify language or describe new features. We'll change the "last updated" date at the top, and if the change is material, we'll email account holders at least 14 days before it takes effect.

The full revision history is on GitHub if you want to diff what changed.

Privacy questions, requests, or complaints all go to the same place: privacy@iny.me. For formal data-protection inquiries from EU representatives, write to the same address and mention "GDPR Art. 27" in the subject.

iny.me, Inc. · 99 Bogart St, Brooklyn, NY 11206, USA