Privacy Policy

Last updated: 17.03.2025

1. Introduction and Controller Contact Information
Your privacy is important to us. This Privacy Policy explains how EU.PE (“we”, “us”, or “our”) collects, uses, and protects personal data when you use our URL shortener and related services (including QR code generation, bio pages, and analytics features). EU.PE is operated by Digital Marketing Agency ROMBEY, Owner: Christopher Rombey, located at Theodor-Körner-Str. 29, 41812 Erkelenz, Germany. For the purposes of the EU General Data Protection Regulation (GDPR) and other applicable data protection laws, we are the data Controller for the personal data processed via our services.

If you have any questions about this Privacy Policy or your personal data, you can contact us at:

  • Postal Address: Digital Marketing Agency ROMBEY, Attn: Data Protection, Theodor-Körner-Str. 29, 41812 Erkelenz, Germany
  • Email: [email protected]

We are committed to handling your personal information in compliance with GDPR and other applicable privacy laws with the highest level of care and transparency.

2. Personal Data We Collect
We collect and process different types of personal data depending on your interaction with our service. This includes data provided directly by our registered customers (e.g., when creating an account or purchasing a plan) as well as data automatically collected from end-users who click on shortened links. We detail these categories below:

  • 2.1 Account and Registration Data (Customer Data): When you register for an account on EU.PE or subscribe to a plan, we collect personal data necessary to create and manage your account. This may include:

    • Contact Information: Your name, business name, business address, and email address. We may also collect a contact phone number (for support or verification purposes) if you choose to provide it.
    • Account Credentials: Username (or email) and password. Passwords are stored in hashed/encrypted form and are not visible to us.
    • Billing Details: For paid plans, we may collect your billing address and company details (such as company legal name and VAT ID if applicable) for invoicing and tax purposes.
    • Payment Information: We do not directly collect or store your sensitive payment card details on our servers. Payments are processed securely by an authorized third-party payment processor (e.g., a credit card provider or payment platform such as Stripe or PayPal). You will provide your payment card number, expiration date, and CVV directly to the payment processor on a secure payment form. The payment processor may share with us limited information such as a payment confirmation, your name, email, and an anonymized token or unique transaction ID, which we store to verify that payment was completed. We also receive information about the payment method type (e.g., credit card, PayPal), the last four digits of your card (for identification), and the billing status (paid or not paid). We never have access to your full credit card number or bank account credentials.
    • Communication Data: If you contact us (e.g., via support email or contact forms), we will collect the information you provide in those communications (such as your email address and the content of your message or attachments) in order to respond to your inquiry or resolve any issues.

  • 2.2 Service Usage Data (Analytics and Link Tracking):
    When you use our URL shortener service, either as a registered customer creating links or as an end-user clicking on a shortened link, we collect certain data automatically to provide the service and analytics. This includes:

    • Short Link Creation Data: If you create a short link, we store the original URL (destination link) you provided, the custom alias or shortcode (if you choose one), and the time and date the short link was created. If you generate QR codes or bio pages, we also store the content you input for those features. (Note: Any personal data you include in the content of a bio page or custom page is provided voluntarily by you and will be publicly accessible if you choose to share that page. Please do not include personal data in link titles or descriptions unless necessary.)
    • Click/Event Data (Short Link Visitors): Each time a user (visitor) clicks on or is redirected via a shortened link (or scans a QR code created with our service), we automatically collect certain information about that access. This may constitute personal data of the link visitor. The information collected for each link visit includes:
      • IP Address: The IP address of the device used to access the short link.
      • Geolocation Information: An approximate geographic location (country, region, or city) derived from the IP address. We use IP geolocation lookup to provide our customers with information about where their link traffic comes from. This is generally limited to city-level or country-level location. We do not determine an exact address.
      • Date and Time: Timestamp of when the short link was accessed. This helps our customers understand when their links receive traffic.
      • Device and Browser Information: Technical information about the visitor’s device and browser, such as the browser type and version, operating system, device type (e.g., mobile, desktop, tablet), and preferred language setting of the browser. We derive this from the user agent string automatically sent by the browser when requesting the link.
      • Referrer URL: If available, we collect the URL of the website or application that the user clicked the short link from (the “referring page”). For example, if the user clicked the short link on a social media site or in an email, the referrer might tell us that source. (Note: Not all clicks have a referrer, for instance if opened from some apps or if the user’s browser suppresses it.)
      • Cookie Identifiers: We may use cookies or similar technologies on our redirect page to distinguish unique visitors and count repeat clicks. Specifically, when a user clicks a short link and is directed through our service, our system may assign a unique identifier cookie to the user’s browser. This cookie does not contain personal details but allows us to recognize if the same browser/device clicks additional short links, which helps avoid over-counting unique visitors in analytics. (See Section 2.4 on Cookies for more detail.)
      • Interaction Data: If the short link is associated with special features (for example, A/B testing multiple destination URLs, or deep linking to mobile apps), we record necessary interaction events (e.g., which variant of the link was shown or which app was opened). This is needed to provide those features and corresponding analytics.

    We collect the above data about link visits to provide aggregate statistics and insights to the customer who created the short link, and to ensure the security and integrity of our service (for example, to detect and prevent misuse such as spam, malicious redirects, or excessive clicks from bots).

  • 2.3 Cookies and Tracking Technologies:
    We use cookies and similar tracking technologies on our website and within the short link service for several purposes:

    • Essential Cookies (Required): These cookies are necessary for the operation of our service. For example, when you log into your account, we use session cookies to maintain your login state as you navigate the dashboard. A session cookie will store a unique session ID tied to your account so that our site recognizes your authenticated requests. “Remember Me” functionality (if you select it at login) uses a persistent cookie so that you remain logged in on that device. These essential cookies do not require consent under applicable law, as they are needed to provide the service you requested.
    • Analytics Cookies: We may use our own first-party analytics cookies or similar methods to collect information about how our website is used (e.g., which pages are visited, performance metrics, etc.). Currently, we do not use any third-party analytics services that set cookies (such as Google Analytics) on our marketing website. Any analytics are done using either server logs or cookies under our control. If in the future we deploy analytics cookies that require consent, we will inform you and obtain consent via a cookie banner.
    • Advertising/Marketing Cookies: We do not display third-party advertisements on our site, and we do not use advertising cookies or trackers for our own marketing at this time. We also do not knowingly allow third-party ad networks to set cookies through our site.
    • Third-Party Tracking Pixels (Customer-Configured): Important: Our service offers customers (Business Pro and Pro plan users) the ability to integrate third-party tracking pixels or scripts into their short links and bio pages. For example, a customer may add a Facebook/Meta Pixel, Google Analytics tag, LinkedIn Insight tag, or other marketing analytics code to a shortened link’s preview or redirect. When a link with such tracking integration is clicked, the third-party code may execute and set cookies or collect data from the end-user’s device. This means that data about the link visitor (such as IP address, device info, and any existing cookies previously set by that third-party on the user's browser) will be sent to that third-party (e.g., Facebook, Google, LinkedIn). These third-party trackers are controlled by our customers, not by EU.PE. We do not receive the detailed data collected by those third parties, aside from whatever aggregate information the customer sees from their tracker. For instance, if a customer adds their Facebook Pixel to a link, Facebook may record that the user (if logged into Facebook or with Facebook cookies) clicked on that link and may use that info for ad analytics. Such third-party processing is covered by the third party’s own privacy policy (e.g., Facebook’s or Google’s privacy policy). We require our customers to ensure they have a legal basis (such as consent from the link visitor, if required by law) to use any third-party tracking pixels via our service. However, EU.PE as the platform is not directly collecting or controlling the data collected by those third-party trackers on link visits. If you are a visitor clicking a link and you have concerns about tracking, please be aware that the link owner may be using such trackers. You can often opt-out or adjust your settings with those third-party services (for example, via Facebook’s ad settings or using browser tracking protection).

    Managing Cookies: You can control cookies through your browser settings. Most browsers allow you to refuse new cookies, delete existing cookies, or notify you when new cookies are set. However, please note that if you disable essential cookies (such as the session cookies), parts of our service (like the user login or redirect functionality) may not work properly. For analytics or non-essential cookies, we will provide an opt-out or not set them without consent as required by law.

  • 2.4 Log Files and Technical Data: Like most websites, our servers automatically create logs of visits. These logs may include the IP address and device information of visitors to our website (eu.pe), dates/times of access, pages viewed, and any error messages. We primarily use these logs for security, debugging, and ensuring the reliable operation of our service. For example, we may review logs to investigate potential malicious activities (such as attempts to attack our servers) or to fix software bugs. We do not use these server logs for marketing purposes, and routine log data is typically deleted or anonymized after a short period unless needed for security analysis.

3. Purpose and Legal Basis for Processing
We process personal data only for specific purposes and where we have a legal basis to do so under GDPR. The purposes and corresponding legal bases are:

  • 3.1 Provision of the Service / Performance of Contract: The primary reason we collect personal data is to provide you with the EU.PE URL shortening and related services as requested by you. When you register an account or purchase a subscription, a contract is formed between you (the Customer) and us (the Provider) for the use of our services. We must process your data to fulfill this contract, for example:

    • To set up and maintain your user account (Article 6(1)(b) GDPR – performance of a contract).
    • To enable you to create short links, QR codes, and bio pages and to store those and make them accessible via the internet (performance of contract).
    • To record link analytics and display them to you in your dashboard, as part of the service features you signed up for. This includes processing of link visitor data and aggregating it for your analysis, which is a core function you expect when using our service (performance of contract with you, the customer, for providing link analytics).
    • To process payments for paid plans, issue invoices, and manage subscriptions (performance of contract, and compliance with legal financial obligations).
    • To provide customer support, answer your inquiries, or troubleshoot issues (as part of providing the service under the contract).

  • 3.2 Legitimate Interests: We also process certain data under the basis of our legitimate interests (Article 6(1)(f) GDPR), provided such interests are not overridden by your fundamental rights and freedoms. We have carefully balanced our interests with your privacy. Processing under legitimate interests includes:

    • Analytics and Improvements: We may use aggregated, pseudonymized, or non-identifiable data about how our service is used to understand performance and usage trends. For example, analyzing how many links are created or clicked in a given period, which features are most used, etc., helps us improve our services and user experience. When possible, we use non-personal data or aggregate data for this. Where personal data (like IP addresses in server logs or cookie IDs) are used for analytics, we rely on legitimate interest in improving our service efficiency and quality.
    • Security and Abuse Prevention: It is in our legitimate interest to ensure the security of our platform and prevent misuse. We process personal data (like IP addresses, device info, account credentials, and usage logs) to monitor for fraudulent or malicious activities. For instance, we may automatically analyze link traffic patterns to detect spam or Distributed Denial of Service (DDoS) attacks, and we use IP addresses to block malicious actors. This processing protects both us and our users and is a necessary part of running a secure service.
    • Enforcing Terms and Legal Claims: If we need to investigate or enforce violations of our Terms of Service (such as misuse of the platform to host illegal content), we will process personal data involved in such incidents under our legitimate interest in upholding our legal rights and the integrity of our service. We may also process data as needed to establish, exercise, or defend against legal claims.
    • Direct B2B Marketing to Customers: As a business customer, we may use your contact information (email or business address) to send you occasional product updates, offers, or newsletters about our services that are relevant to your use of EU.PE. We consider this a legitimate interest to grow and develop our service. Important: Every such communication will provide a clear opt-out/unsubscribe option. If you opt out, we will cease marketing communications. We do not send marketing emails to individuals who have only clicked a link (end-users) or who have not had a customer relationship with us. We also do not sell or share your contact details with third-party marketers.

  • 3.3 Consent (if applicable): In general, we do not rely on consent for most data processing, as we either process data to perform our contract with you or under legitimate interests as described. However, there are some situations where we may request your consent:

    • If we ever want to use non-essential cookies or third-party analytics/advertising cookies on our marketing website, we will ask for your consent via a cookie banner (per Article 6(1)(a) GDPR). You have the right to refuse or withdraw such consent.
    • If we engage in any activity that legally requires consent (for example, publishing a customer testimonial with personal data or sending promotional communications to a person who is not an existing customer), we will obtain consent. In such cases, you can withdraw consent at any time by contacting us, and we will stop the processing that was based on consent. Withdrawal of consent will not affect the lawfulness of processing done before the withdrawal.

  • 3.4 Legal Obligations: We are subject to certain legal obligations that may require processing of personal data (Article 6(1)(c) GDPR). For example:

    • Tax and Accounting Laws: We must retain certain billing and payment records (which may include your name, business information, and transaction history) for a legally required period (typically 6-10 years in Germany) to comply with tax and financial regulations.
    • Law Enforcement Requests: If we are legally required by a valid request (such as a court order or subpoena) to provide personal data to government authorities, we will process and disclose data strictly as needed to comply with that legal obligation. (See also Section 5 on data sharing.)
    • Regulatory Compliance: Other laws (such as telemedia laws or data protection laws) might impose obligations like providing an imprint (Impressum) or safeguarding personal data. We process data to meet these requirements as needed.

4. How We Share or Disclose Personal Data
We treat your personal data as confidential and do not sell it. However, in order to run our business and provide our services, we sometimes need to share data with third parties. When we share data, we do so under strict conditions to protect your privacy. The categories of recipients of personal data include:

  • 4.1 Service Providers and Processors: We use trusted third-party companies to help us operate our service (under Data Processing Agreements as required by Article 28 GDPR). These providers process data only on our behalf and under our instructions. Key service providers include:

    • Payment Processing Provider: As mentioned, a third-party (e.g., Stripe, PayPal, or a similar payment gateway) handles credit card and payment transactions. They will receive billing information and payment details to process your subscription fees. These providers are PCI-DSS compliant and are data controllers for your payment information in their own right, but they also act as our processors for confirming payments. We only share the necessary data (like transaction amount, your account ID or email) with them to link the payment to your account. Payment providers may be located outside the EU (see Section 6 on International Transfers). We ensure any such provider complies with GDPR (for instance, Stripe’s European entity and Standard Contractual Clauses for data transfer to the US).
    • Hosting and Infrastructure: Our websites, databases, and servers are hosted by third-party hosting companies. Currently, we host our service on servers located in the European Union (for example, with a reputable hosting provider such as IONOS SE in Germany). All data you provide to us (account data, link data, etc.) is stored in these server systems. Our hosting provider may technically have access to data for storage and backup, but they are not allowed to use it for any other purposes. They are contractually bound to confidentiality and GDPR compliance.
    • Email and Communication Tools: We use email service providers to send transactional emails (such as verification emails, password resets, notifications) and possibly newsletter or marketing emails (if you subscribed). For transactional emails, we may use our own mail server or a service like SendGrid, Mailgun, or similar. These services would process your email address and the content of the mail. If we send newsletters or updates, we will use a list management service (and only send to those eligible as described in 3.2). All such providers will be bound by data protection agreements.
    • Analytics/Performance Tools: As of now, we do not extensively use third-party analytics on our platform beyond our own systems. If this changes, for example if we use a service to help analyze server performance or errors (such as Sentry, Datadog, etc.), those tools might incidentally process some data (like IP addresses or error logs containing user IDs). We will ensure any such tool is GDPR-compliant and mention it here if applicable.
    • Content Delivery Networks (CDN): To ensure fast global delivery of our service, we might use a CDN (such as Cloudflare or a similar provider). A CDN caches content (like images, scripts, or static pages) on servers around the world. When you access our site or a short link, your request might go through the CDN which then provides the content quickly from a nearby location. In this process, the CDN will see your IP address and the requested URL, which could be considered personal data. We only use CDN providers that either keep data within the EU or adhere to EU-US data transfer regulations. For example, if we use Cloudflare, they participate in Standard Contractual Clauses and have committed to GDPR compliance. The CDN acts as our processor for the limited purpose of speeding up content delivery and security (they may also provide DDoS protection).
    • Data Storage and Backup: We maintain backups of our databases to prevent data loss. Backups are stored securely (encrypted when possible) and handled either by our hosting provider or a secure cloud storage service. Any such storage provider will be subject to confidentiality and data protection obligations. Backup data is retained only as long as necessary for disaster recovery.

  • 4.2 Within Our Organization: Personal data may be accessed by personnel within Digital Marketing Agency ROMBEY who need to process it for the purposes described (e.g., our support team accessing your account info to assist you, or our administrators maintaining the servers). Access to personal data is restricted to authorized personnel who are bound by confidentiality. Since we are a small organization, typically the owner (Christopher Rombey) and a limited number of staff or contractors handle personal data, all of whom are informed about data protection requirements.

  • 4.3 Our Customers (for Link Analytics): If you are an end-user clicking a short link, some of your data (as described in 2.2) will be shared with the customer who created that short link. Specifically, the aggregated analytics about link clicks (including potentially your country location, device type, etc.) are visible to the customer in their dashboard. We do not share your IP address directly with the customer in a raw form; however, the customer can see analytics like “X clicks from [City/Country]” or “Y clicks using Chrome browser”. In some cases, if the customer exports raw data and if our service provides such an option, individual click logs might be available to that customer including timestamp and generalized location. The customer does not receive personally identifying information like your name (unless you yourself provided it on their bio page or such) or your exact address – only technical click statistics. Nonetheless, because the customer effectively “controls” the links they create and can view the data from clicks, they are considered an independent Data Controller for the personal data of link visitors in many respects. We act as a Data Processor on behalf of our customer for the link visitor data, by collecting and analyzing it as instructed by the customer’s use of our tools. (See Section 8 on GDPR roles and Data Processing Agreement availability.)

  • 4.4 Legal Compliance and Protection: We may disclose personal data to third parties (such as attorneys, courts, or law enforcement authorities) if such disclosure is necessary:

    • To comply with a law, regulation, legal process, or governmental request (such as responding to a subpoena or court order). We will carefully review the legality of any request and only provide the minimum data necessary. Where allowed, we will inform the affected user of such requests.
    • To enforce our Terms of Service or other agreements, or to investigate potential violations thereof.
    • To detect, prevent, or address fraud, security, or technical issues. For example, if we detect content involving child pornography or other serious crimes, we will report it to the appropriate law enforcement authorities and provide them with any data necessary for investigation (as we are legally obligated to do).
    • To protect the rights, property, or safety of our company, our users, or the public as required or permitted by law. This includes exchanging information with other companies or organizations for fraud protection and spam/malware prevention.

  • 4.5 Business Transfers: If in the future our business or assets are acquired by, or merged with, another company, personal data we hold may be part of the transferred assets. We would only do this in the context of such a corporate transaction (e.g., merger, acquisition, bankruptcy, dissolution, reorganization). In such an event, we will ensure the new owner continues to handle your personal information in line with this privacy policy or we will notify you and give you an opportunity to object or delete your data before transfer.

We do not sell personal data to third-party companies for their independent marketing or commercial use. Any sharing is solely for the purposes listed above. When we share data with processors, they are contractually forbidden from using it for anything other than providing services to us and must maintain confidentiality and security of your data.

5. International Data Transfers
We are based in Germany and aim to store and process all personal data within the European Union (EU)/European Economic Area (EEA) to the greatest extent possible. Most of our primary systems (hosting, databases) are located in the EU. However, some of our third-party service providers may be located outside the EU/EEA or may process data outside the EU. For example:

  • If we use Stripe as a payment processor, while Stripe has a European entity (Stripe Payments Europe, Ltd. in Ireland) for EU customers, it may involve processing of data by Stripe, Inc. in the United States.
  • If a customer adds a third-party tracking pixel like Facebook or Google, those companies (Meta Platforms, Google LLC) process data in the United States or other countries outside the EU.
  • Our email delivery service or CDN might use servers in the US or globally to send communications or serve content.

When personal data is transferred out of the EU/EEA, we take steps to ensure appropriate safeguards are in place as required by GDPR Chapter V. These measures include:

  • Adequacy Decision: If data is sent to a country that the European Commission has determined provides an adequate level of data protection (e.g., countries like Switzerland, UK, Canada, etc.), we rely on that decision.
  • Standard Contractual Clauses (SCCs): For transfers to the United States or other countries without an adequacy decision, we use the European Commission’s Standard Contractual Clauses (SCCs) or equivalent contractual measures. For instance, our contracts with US-based service providers (payment processors, CDN, etc.) include SCCs obligating them to protect EU personal data according to EU standards. We also assess on a case-by-case basis whether additional technical or organizational measures (such as encryption in transit and at rest) are needed to ensure data security in the destination country.
  • Other Safeguards: In some cases, providers may be certified under frameworks like the EU-US Data Privacy Framework (if applicable) or similar schemes that facilitate compliant transfers. We will monitor legal developments and use appropriate frameworks as they become available or necessary.

Important note for link visitors: If a customer uses third-party trackers (as described in 2.3), data about you might be sent to countries outside the EU (like the US) by those third parties. While we contractually require customers to use such features in compliance with law, EU.PE itself cannot control those data flows. If you want to avoid such transfers, you may use browser settings or extensions to block third-party scripts, or avoid clicking links that you suspect might have tracking (though we understand this is not always feasible).

By using our services or by interacting with our site, business customers acknowledge that their own data and the data of their link visitors may be processed outside the country in which they are located, and they agree that we can transfer data to and from the United States and other jurisdictions as necessary, provided we implement the safeguards as described.

If you have questions about our international data transfer practices or want more information about specific transfer mechanisms (e.g., a copy of the SCCs used), please contact us at the email provided in Section 1.

6. Data Retention Periods
We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required or permitted by law. The retention periods vary depending on the type of data and purpose of processing:

  • 6.1 Account Data: If you are a registered customer, we retain your account information (such as your name, contact details, account credentials) for as long as your account is active. You have the option to delete your account at any time. Upon your request to delete an account (or if we terminate your account pursuant to our Terms), we will deactivate the account and delete or anonymize personal data associated with your profile within a reasonable timeframe. In general, account data will be removed from our active systems immediately or within [30 days] of account deletion. However, we may retain some of your account data in backups or archives for a short period until those backups are cycled out, and we may retain transactional records as required by law (see below).
    Note: If your account is on a paid subscription and you delete your account, this will cancel your subscription. We will wipe all of your user-generated data from our systems, including your shortened links, link analytics, tracking pixels, and any content on bio pages (as indicated in our FAQ). Once deleted, this data cannot be recovered. Please ensure you have exported any data you wish to keep (we provide export tools for links and analytics) before deleting your account.

  • 6.2 Subscription and Payment Records: We are legally obligated to retain financial records of transactions (invoices, payment history, etc.) for a certain period. In Germany, tax laws typically require retention for 10 years. Therefore, even after account deletion, we will retain invoice records, billing information, and related personal data (like your name, company, address on the invoice, amount paid) for up to 10 years. This data will be stored securely and only used for compliance with accounting laws or in case of audits. It will not be used for marketing or other active purposes once your account is deleted, except if needed for legal claims.

  • 6.3 Shortened Links and Analytics Data:

    • For active customers (account still open), we retain the data you create until you choose to delete it or your account is deleted. This means all your short links, QR codes, bio pages and their associated data remain in our database until removed by you. You can delete individual short links or other items at any time via your dashboard; deletion will remove associated click analytics for that link as well.
    • We implement different data retention limits for link analytics based on your subscription plan:
      • Free Plan / Pro Plan: Detailed click analytics (IP addresses, etc.) for each link are retained for a limited period (e.g., 90 days) and older data is automatically purged. Aggregate statistics may be kept (e.g., total clicks per month) but granular data beyond the retention window is deleted or anonymized. This is to limit storage of personal data in line with our data minimization principles.
      • Business Pro Plan: As a premium offering, we may retain analytics data for a longer period or indefinitely for active Business Pro customers, to allow year-over-year analysis, etc. However, even for Business Pro, we may periodically aggregate or archive older data to manage storage. If you require specific retention guarantees, we can address that in a custom plan or Data Processing Agreement.
        In summary, link click data is kept as long as necessary for providing the analytics service to our customers and as per the plan’s limits. If you downgrade or cancel your subscription, we might reduce retention accordingly (for example, if you move from Business Pro to a Free plan, we might delete older analytics beyond 90 days as the free plan allows). We will notify you of any significant change in data availability if that occurs.

  • 6.4 Logs and Security Data: Our server logs (including IP addresses of visitors to our site and link redirect logs) are kept for a short period, typically 90 days or less, unless we need to retain them longer for security analysis. For instance, if we notice suspicious activity, we might isolate and keep relevant log entries until the issue is resolved. After the retention period, logs are automatically deleted or anonymized. Aggregate statistics derived from logs (with personal data removed) may be kept longer.

  • 6.5 Communications: If you contact us via email or support ticket, we may retain those communications for our records as long as needed to address your issue and for an appropriate time afterward in case you have follow-up questions. Typically, support emails are archived and might be kept for up to 2 years, unless you request deletion of a particular correspondence and we have no legal necessity to keep it.

  • 6.6 Backup Copies: Our system performs regular backups for reliability. Backup files are encrypted and stored securely. They are retained for a limited duration (e.g., rotating daily/weekly backups over a few weeks). When backups expire, they are deleted. If your data was deleted from the live system (e.g., you deleted your account), it’s possible that some remnants remain in backup files until those backups are pruned. We ensure that any restoration from backups also respects deletion requests (meaning if we ever had to restore a backup, we would re-delete any data that had been previously requested for deletion).

After the expiration of the relevant retention periods, personal data will either be deleted, anonymized, or in some cases archived in a manner that is beyond use (e.g., moved to a secure archive only accessible if required by law). Anonymized data (which is no longer associated with an identifiable individual) may be retained indefinitely for statistical purposes without further notice.

7. Data Subject Rights (Your Rights under GDPR)
As an individual whose personal data we process, you have certain rights under the GDPR (and equivalent rights under other data protection laws where applicable). We are committed to honoring these rights. You may exercise these rights by contacting us via the contact details provided in Section 1. These rights include:

  • 7.1 Right of Access: You have the right to obtain confirmation whether we are processing your personal data, and if so, to request a copy of the personal data we hold about you. We will provide you with a copy of the data undergoing processing, along with information on the purposes of processing, categories of data, recipients, retention periods, and the data subject rights (as per Article 15 GDPR). For additional copies, we may charge a reasonable fee based on administrative costs.

  • 7.2 Right to Rectification: You have the right to request correction of any inaccurate personal data we hold about you. You also have the right to have incomplete data completed, by providing a supplementary statement or update. In practice, registered users may correct and update most of their account information directly through their account settings. For any information you cannot change yourself, contact us and we will rectify it promptly.

  • 7.3 Right to Erasure (“Right to be Forgotten”): You have the right to request deletion of your personal data under certain circumstances (Article 17 GDPR). This is not an absolute right, but we will honor it to the extent required by law. You may request erasure if, for example:

    • The personal data is no longer necessary for the purposes for which it was collected or processed;
    • You withdraw consent (if the data was processed based on consent) and we have no other legal basis for processing;
    • You object to processing based on our legitimate interests (see 7.6) and we have no overriding legitimate grounds to continue;
    • We processed your data unlawfully; or
    • We must erase your data to comply with a legal obligation.
      Please note that if you have an active account, you can achieve erasure by deleting your account as described above, which removes most data. However, certain data cannot be fully erased if still needed for legal compliance (e.g., invoice records). We will inform you if any such exceptions apply when you request erasure. Also, if you request deletion of data that is necessary for using the service (like your account credentials), we will have to cancel your service as part of fulfilling your request.

  • 7.4 Right to Restriction of Processing: You have the right to request that we limit the processing of your personal data in certain cases (Article 18 GDPR). This means we would store your data but temporarily not use or share it until the restriction is lifted. You can invoke this right if:

    • You contest the accuracy of the data – for a period enabling us to verify the accuracy;
    • The processing is unlawful and you oppose erasure and request restriction instead;
    • We no longer need the data for the original purpose, but you need it for the establishment, exercise, or defense of legal claims;
    • You have objected to processing (see 7.6) and await verification whether our legitimate grounds override yours.
      When processing is restricted, we will mark the data and only process it with your consent or for legal reasons. We will also inform you before lifting any restriction.

  • 7.5 Right to Data Portability: For data that you have provided to us and that we process by automated means based on your consent or on a contract (Article 20 GDPR), you have the right to request that we provide it to you in a structured, commonly used, machine-readable format (for example, CSV or JSON), and you have the right to transmit that data to another controller. You can also ask, where feasible, that we transfer the data directly to another service provider. In practical terms, much of your data on EU.PE (like your list of short links, click statistics) can be exported via our dashboard (we provide export functionality in common formats). If you need assistance or a more comprehensive export (including account information), contact us and we will assist in providing your data. Note that data portability applies to personal data concerning you; for link analytics, while we consider it your provided data (since you created the links and we collected on your behalf), personal data about link visitors might not be directly portable by you to another service (except as aggregated in your exports).

  • 7.6 Right to Object: (a) If we process your data based on legitimate interests (Article 6(1)(f) GDPR), you have the right to object to that processing on grounds relating to your particular situation. If you file such an objection, we will stop processing the personal data unless we have compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or unless processing is necessary for the establishment, exercise, or defense of legal claims.
    (b) Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your data for such marketing. This is an absolute right – if you object, we will stop using your data for direct marketing immediately. This includes profiling to the extent it is related to direct marketing. For example, if you as a customer receive our newsletter or product updates and you object or unsubscribe, we will remove you from the mailing list. (As noted, we do not market to non-customers without consent.)
    If you wish to object to any processing, please contact us specifying the particular processing you want to object to.

  • 7.7 Right to Withdraw Consent: If we rely on your consent for any processing of your personal data, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing done before the withdrawal. For example, if you gave consent to receive a newsletter, you can revoke it by unsubscribing, and we will stop. Currently, the service does not heavily rely on consent except in optional cases (like cookie consent or marketing emails), as described in Section 3.3. You can manage those consents easily (e.g., cookie settings via the banner, unsubscribe link in emails). For any other consent withdrawal, contact us.

  • 7.8 Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you, unless an exception applies under Article 22 GDPR (such as you explicitly consented, or it’s necessary for a contract, etc.). We do not engage in fully automated decision-making with legal or significant effects on individuals. While we do automated processing for analytics and security (e.g., maybe automatically flagging a malicious link), these do not involve decisions that would seriously affect your rights or interests without human review. If that ever changes, we will inform you and ensure compliance with GDPR’s requirements for such processes.

  • 7.9 Right to Complain to a Supervisory Authority: If you believe that our processing of your personal data violates data protection laws, you have the right to lodge a complaint with a data protection supervisory authority. You may do so in the EU Member State of your habitual residence, your place of work, or the place of the alleged infringement. For example, you can contact the North Rhine-Westphalia Commissioner for Data Protection and Freedom of Information (LDI NRW), since our company is based in NRW, Germany. Alternatively, you can reach out to any other relevant supervisory authority. We would, however, appreciate the chance to address your concerns directly before you approach a regulator – please feel free to contact us with any issues and we will do our best to resolve them promptly and transparently.

We will endeavor to respond to any legitimate requests regarding your rights within one month of receipt (this can be extended by two further months if necessary, depending on complexity and number of requests, but we will inform you if an extension is needed). We may need to verify your identity to ensure that we do not disclose data to an unauthorized person. This could involve asking for information from you that matches our records.

8. Data Controller and Processor Relationship; Data Processing Agreement
Depending on the context, we may act as a Data Controller or a Data Processor for different sets of personal data under GDPR:

  • For the personal data of our customers (the information in your account, your usage of our platform, etc.), we act as the Data Controller. We decide how to process that data to run our service (as described in this Privacy Policy).
  • For personal data of end-users who click on shortened links (the visitors’ data described in Section 2.2), we primarily collect and process that data to provide a service (analytics) to our customer who created the link. In many cases, our customer determines the purpose of collecting that analytics data (to analyze their marketing campaign, for example). In GDPR terms, our customer could be considered the Data Controller for the visitor data, and EU.PE is the Data Processor acting on their behalf. We analyze the data and present it to them according to their configuration of the service. We do not use link visitor data for our own purposes unrelated to providing the service to our customer (except for the limited cases of ensuring security and integrity of our platform, see legitimate interests). Therefore, we offer to enter into a Data Processing Agreement (DPA) with any customer who requires it for compliance. This DPA will outline that we (Digital Marketing Agency Rombey operating EU.PE) process personal data on behalf of the customer, under their instructions, and implement appropriate security measures, etc., in accordance with Article 28 GDPR.

In practice, to keep things simple: We treat all link analytics data as confidential data belonging to our customer, and we will not access or disclose it except as permitted in our Terms or as instructed by the customer or required by law. We use it only to provide the service. For customers who need a signed DPA for their records (for instance, if they themselves are EU companies needing to show they handle user data lawfully), we can provide a standard DPA upon request. Please contact us if you require a Data Processing Agreement; we will be happy to facilitate that.

9. Data Security Measures
We take the security of personal data seriously and implement various technical and organizational measures to protect it:

  • Encryption: All communications between your browser and our service are encrypted via SSL/TLS (HTTPS). This means any data you transmit to us (including link click data, your login credentials, etc.) is encrypted in transit. We also encrypt sensitive data at rest where appropriate. For example, passwords are hashed, and any payment information we store (like tokens or IDs from payment processors) are stored securely.
  • Access Controls: Our database and servers can only be accessed by authorized personnel with secure authentication. Internally, we restrict access to personal data on a need-to-know basis. Administrative access to systems requires strong passwords and, where possible, two-factor authentication.
  • Monitoring and Patching: We keep our software and infrastructure updated with security patches. We monitor for any suspicious activity or vulnerabilities. Regular backups are maintained to prevent data loss.
  • Organizational Policies: Our staff are trained on data protection principles. Any contractors or partners are required to adhere to confidentiality agreements. We have procedures in place for handling any suspected data breaches, including investigation and notification to authorities or affected individuals if required by law.
  • Audit and Testing: We may periodically review our security measures and policies to ensure they are up to date. This can include vulnerability scanning or engaging third-party security experts to conduct audits/penetration tests.
  • Physical Security: Our servers are in secure data centers with appropriate physical security controls (guarded facilities, controlled access, etc., managed by our hosting provider).

Despite our efforts, no system can be 100% secure. However, we strive to use industry best practices to protect your data. If you have reason to believe that your data is no longer secure (for example, if you feel your account has been compromised), please contact us immediately.

10. Third-Party Links and Resources
Our website or dashboard may occasionally contain links to third-party websites (for example, a link to our help center, documentation, or external resources) or integrate with third-party services. If you follow a link to any external site, please note those have their own privacy policies and we do not accept any responsibility or liability for their content or practices. This Privacy Policy only applies to EU.PE’s processing of personal data. We encourage you to read the privacy statements of other sites or services you visit via links from our platform.

11. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our services, legal obligations, or for other operational, legal, or regulatory reasons. If we make material changes to the way we collect or use personal data, we will provide a prominent notice (e.g., on our website or by email to registered users) and obtain consent if required by law. The “Last updated” date at the top will always indicate when the latest changes were made. We encourage you to review this policy periodically to stay informed about how we are protecting your information.

If you have any questions or concerns about this Privacy Policy or our data practices, please do not hesitate to contact us at [email protected]. We value your privacy and will do our best to address any issues promptly.