Privacy Policy

Last updated: 12.04.2025

1. Introduction

EU.PE (“we”, “us”, “our”) is a professional URL shortening and link management service targeted at business users. We take privacy seriously and comply with the EU General Data Protection Regulation (GDPR) and other applicable laws. This Privacy Policy explains how we collect, use, and protect personal data when you use our Service or when individuals click on links managed through our Service. Important: Our platform tracks extensive data about both our registered customers and end-users who click on shortened links, to provide analytics and advanced features. Please read this policy carefully to understand our practices.

Controller Contact: The Service is operated by Digital Marketing Agency ROMBEY (Owner: Christopher Rombey), located at Theodor-Körner-Str. 29, 41812 Erkelenz, Germany. For the purposes of GDPR, we act as the data controller for personal data that we collect directly (e.g., account information). For data we process on behalf of our business customers (e.g. information about individuals clicking on their links), we act as a data processor under their instruction. You can contact us with privacy inquiries at [email protected] or by mail to our postal address above, Attn: Data Protection.

2. Personal Data We Collect

We collect different categories of personal data depending on how you interact with EU.PE:

  • 2.1 Account Registration and Profile Data (Business Customer Data): If you register for an account or purchase a plan, we collect information you provide:

    • Contact Information: Name, business name, business address, and email address. We may also collect a phone number for support or verification if provided.

    • Account Credentials: Username and password (passwords are stored securely in hashed form).

    • Billing Details: Company legal name, billing address, VAT ID (if applicable) for invoicing, etc.

    • Payment Information: Payment card details are collected via our payment processor (e.g., Stripe/PayPal) on a secure form. We do not store full credit card numbers. We receive confirmation of payment and basic details like card type, last four digits, transaction ID, and payment status.

    • Affiliate Program Data: If you join our affiliate program, we collect your affiliate account details (such as payout method information like a PayPal email) and track referrals you generate. If you were referred by an affiliate, we record the referral (the referring affiliate’s ID associated with your account) to calculate commissions.

    • Communications: If you contact support or communicate with us (email or contact form), we will collect your contact details and any information you share in the inquiry.

  • 2.2 Service Usage and Analytics Data: Whenever our Service is used – either by you as a logged-in customer creating links, or by any end-user clicking a shortened link, scanning a QR code, or viewing a “link-in-bio” page – we automatically collect data about that interaction. This may include personal data of the link visitor. Specifically, for each link access or similar event, we collect:

    • IP Address: The IP address of the device used.

    • Geolocation: An approximate location (country, region, city) derived from the IP (we do not pinpoint exact addresses). This is used for analytics and features like geo-targeting (e.g., redirecting users to different URLs by country).

    • Date and Time: Timestamp of the click or visit, used for time-based analytics and to distinguish visits.

    • Device and Browser Information: Information from the user’s browser user agent string, such as browser type (e.g., Chrome), version, operating system (e.g., iOS, Windows), and device type (mobile/desktop). We also note the browser language setting, which can be used for language-based targeting.

    • Referrer URL: If available, the URL of the page that led the user to the short link (e.g., the website or app where the link was clicked). This helps identify traffic sources (email, social media, etc.). (Note: Not all clicks have a referrer, for example if the link was opened from a messaging app or the user’s browser blocked referrers.)

    • Unique Identifier (Cookie ID): We may set a first-party cookie or similar identifier when a user clicks a link, to recognize repeat visitors. This helps us avoid double-counting unique clicks and enables features like A/B test consistency. This cookie contains a random ID, not personally identifying info by itself, and is used solely for analytics.

    • Interaction Details: If a link has special settings or features, we log the outcome. For example:

      • If multiple destinations are configured (via A/B testing or a rotator), we note which variant or URL was served to the user.

      • If deep linking is used (opening a mobile app), we note if the app was opened.

      • If geo-targeting or device-targeting rules are applied, we log which rule matched (e.g., “user from UK redirected to URL X” or “mobile user sent to mobile site”).

      • If the user viewed a bio page (a profile page with multiple links), we track the page view and any clicks on that page’s links similarly to other link clicks.

    • Third-Party Integration Data: If our customer has integrated third-party services (e.g., Slack notifications or Zapier webhooks) to be triggered on link events, the fact that a link was clicked (along with associated data like location or link info) may be sent to those third-party services at the customer’s direction.

    Why we collect this: We use this data to provide our Service’s core functionality – for example, to show our customers analytics about their link traffic, to enforce their targeting settings, and to detect misuse. Essentially, nearly all available technical data from a link click is tracked so that our business customers have detailed analytics and can optimize their marketing.

  • 2.3 Cookies and Similar Technologies: On our website and redirect links, we use cookies or similar tracking technologies:

    • Essential Cookies: For logged-in users, we use session cookies to maintain your login state. These are required for the site to function (e.g., to stay logged in as you navigate the dashboard).

    • Analytics Cookies: As mentioned, our redirect system may use a cookie to count unique visitors. On our marketing site (eu.pe) we might use analytics tools to understand site usage, but as of now we do not use any third-party analytics like Google Analytics that drop cookies. Any site analytics are done with first-party tools or server logs. If we introduce non-essential analytics cookies, we will obtain consent via a cookie banner in accordance with ePrivacy rules.

    • Affiliate Tracking Cookies: If you arrive at our site via an affiliate referral link, we may place a cookie or use URL parameters to record which affiliate referred you. This allows us to attribute your signup to the correct affiliate. This cookie will typically persist for a set period (e.g., 30 days) to credit the affiliate if you sign up within that timeframe. (Note: This is solely for tracking referrals; it does not serve third-party ads).

    • Advertising Cookies: We do not serve ads on our Service and do not use advertising networks, so we do not set advertising cookies or similar trackers for third-party ad purposes.

  • 2.4 Logs and Device Information: Our servers automatically keep logs of requests. These logs include the data mentioned in 2.2 (IP, timestamps, etc.) for each request to our system (including API calls). We use these logs for debugging, security monitoring, and maintaining service integrity. For example, logs help us detect malicious activity (like someone rapidly trying to create links or access unauthorized pages) and track uptime. Log data is normally not accessed unless needed and is routinely purged or anonymized after a retention period (see Section 6 on retention).

3. How We Use Personal Data

We use the collected data for the following purposes:

  • Providing the Service: All data collected (account info, link click data) is primarily used to operate the Service. For example, we use your registration data to create your account and authenticate you. We use link click data to generate analytics reports for you, and to carry out the redirect and targeting features you configure (e.g., deciding where to send a user based on their country or device).

  • Service Features and Enhancements: Data is used to enable specific features – e.g., IP and device data allow geo-targeting and device-specific redirects; cookies enable A/B testing consistency; email addresses allow us to send account alerts or reports.

  • Analytics and Product Improvement: We may internally analyze usage patterns (in aggregated form) to understand how our features are used and to improve our Service. For instance, we might look at overall statistics like “how many links does an average Pro user create” or “which features are used frequently” to inform development decisions. When we do so, we typically use aggregated or anonymized data that does not identify individuals.

  • Customer Support: If you contact us with a question or issue, we will use your contact and account data to respond. We might access your account or logs to troubleshoot problems you reported.

  • Security and Abuse Prevention: We use personal data (especially logs and link click data) to monitor for and prevent fraudulent or malicious activities. For example, we might detect that a single IP is trying thousands of alias combinations to find valid short links (potential abuse), or that a link is receiving an unusually high number of clicks indicative of a bot. We also scan content for malware or phishing. If we detect abuse, we may use data to block access or report offenders.

  • Legal Compliance: Where required, we use and retain data to comply with legal obligations – for instance, maintaining transaction records for tax and accounting, or responding to lawful requests by authorities (see Section 5 on sharing).

  • Marketing Communications: As a B2B service, we may send occasional product updates, offers, or newsletters to our customers’ provided email addresses. We will only do so in compliance with applicable laws (e.g., with consent or under a soft opt-in exception for existing customers). You can opt out of marketing emails at any time by using the unsubscribe link or contacting us. We will not spam you.

  • Affiliate Program: For affiliates, we use your data to track referrals and calculate commissions. For example, we tally the paid subscriptions attributed to your affiliate ID and use your provided payout information to pay you. We may also send affiliates program-related communications.

Our legal bases under GDPR for processing personal data include: performance of a contract (Art.6(1)(b) GDPR) for data like account registration, providing the service you signed up for; legitimate interests (Art.6(1)(f)) for analytics, security, and service improvement (we consider these interests not to override individuals’ rights, especially as most end-user data is used in aggregate form and for security); and compliance with legal obligations (Art.6(1)(c)) for keeping records or responding to lawful requests. Where we rely on consent (e.g., for placing non-essential cookies or sending marketing emails in certain jurisdictions), you have the right to withdraw that consent at any time.

4. How We Share Personal Data

We treat your data with care and do not sell personal data. However, we do share data in certain situations:

  • 4.1 With the Customer (Business User): If you are an end-user clicking a link, some of your data is shared with the customer who created that link. Specifically, the analytics information about link clicks (location, device type, time, etc. as described above) is visible on the creator’s dashboard. We do not disclose your raw IP address or any name or email (unless you voluntarily provided such info on a bio page or form). Instead, the customer sees aggregated stats like “100 clicks from Berlin, Germany” or “60% of users on mobile.” In some cases, a business user can export more detailed click logs (e.g., each click with timestamp and country). While this data is technical, it could be considered personal (e.g., IP-derived location, time). Important: For GDPR, the business customer who uses our Service to collect analytics on link visitors is considered an independent data controller for that visitor data, and we act as their data processor. This means the customer might combine that data with other info or have to provide privacy notices to their users. (See Section 8 below for more on GDPR roles and Data Processing Agreements.)

  • 4.2 Within Our Organization: Personal data is accessed only by authorized personnel who need it to perform their duties (for example, our support staff and the owner/administrator may access account details to assist users or maintain systems). We are a small team, and all staff/contractors are bound by confidentiality and data protection obligations.

  • 4.3 Service Providers (Processors): We use third-party service providers to help run our business (all under strict privacy agreements):

    • Hosting and Infrastructure: Our servers are likely hosted by a reputable provider (possibly in the EU). All data (databases, backups) reside on those servers. The hosting provider may technically have the ability to access data stored on their infrastructure, but they are not allowed to use it for anything except maintaining our service.

    • Payment Processor: As mentioned, a third-party (e.g. Stripe or PayPal) processes payments. They handle your payment details directly and just inform us of the result. Such processors are PCI-DSS compliant and GDPR-compliant, and act as independent controllers for your payment info, or sometimes as our processors for the transaction data.

    • Email Service: We may use an email delivery service (for transactional emails like verification codes, receipts, or marketing newsletters). That means your email address and possibly name could be stored in our account with that provider to send you emails. We ensure any such provider is GDPR-compliant.

    • Analytics/Support Tools: We might use tools for customer support (e.g., a ticketing system or chat widget) or simple analytics on our website. These might process some personal data (like your email or IP) on our behalf when you interact with support or our site. We carefully choose providers with privacy safeguards.

    • Affiliate/Referral Platform: If we use software or a platform to manage the affiliate program, it will necessarily process affiliate data and track referrals. This could involve cookies or referral codes. We ensure any such platform complies with GDPR requirements.

    In all cases, service providers are bound by contracts that restrict them from using your data for any purpose other than providing services to us and to you.

  • 4.4 Third-Party Tracking Integrations: As described, our customers can insert third-party tracking scripts (like Facebook Pixel, Google Analytics) into their links or pages. When that happens, data is sent directly from the end-user’s browser to the third-party (e.g., Facebook). EU.PE itself does not receive those third-party trackers’ detailed data. We effectively facilitate the loading of those scripts, but the data collected by them is governed by the third party’s privacy policy (and the customer’s own privacy practices). For example, if a customer adds a Facebook Pixel, Facebook may receive information that user X clicked a link, along with whatever cookies or identifiers Facebook has on that user. We require customers to ensure they have obtained any necessary consents for such tracking. EU.PE is not responsible for data once it is sent to a third party via a customer’s use of this feature. (If you are a link visitor and want to opt out of such third-party tracking, you can use tools like browser tracking protection or opt-out mechanisms provided by those third parties.)

  • 4.5 Legal Disclosures: We may disclose personal data to third parties such as law enforcement, regulators, courts, or others if we believe disclosure is required by applicable law or legal process, or if we need to do so to protect our rights or the rights of others. For example, if we receive a valid subpoena or court order, we will comply and provide only the data specifically requested (after verifying the request’s legitimacy). We may also disclose information if necessary to enforce our Terms and conditions or to investigate/prevent fraud or security issues. If legally allowed, we will inform affected users of any such requests.

  • 4.6 Business Transfers: If our company is ever involved in a merger, acquisition, investment, or sale of assets, personal data may be transferred to the involved parties (e.g., to a new owner of the Service). In such a case, we will ensure the new owner is bound to respect the existing Privacy Policy, or we will notify you and obtain consent if required by law. If EU.PE were to cease operations, we would give users a chance to retrieve or delete their data beforehand where possible.

We do not sell or rent your personal data to third-party marketers. Any sharing that occurs is only as described above, primarily for providing our Service or as required by law.

5. International Data Transfers

We are based in Germany and aim to store and process data within the European Union whenever feasible. However, some of our service providers or integrations may be in countries outside the EU/EEA (for example, our email service or certain cloud providers might be in the United States). When personal data is transferred out of the EU to countries that may not have equivalent data protection laws, we will ensure appropriate safeguards are in place as required by GDPR Chapter V. This might include:

  • Relying on an adequacy decision (if the country is deemed by the European Commission to have adequate protection).

  • Using Standard Contractual Clauses (SCCs) in our contracts with the provider, obligating them to protect the data.

  • Ensuring additional technical measures as needed (encryption, etc.).

For example, if we use a US-based provider like Slack for notifications, we would have a data processing agreement with EU standard clauses to cover any transfer of personal data (like a message containing an IP address of a link click). By using our Service or providing us information, you acknowledge that your personal data may be transferred to and stored in servers located in countries outside your own, and we will take steps to protect it in transit and at rest.

6. Data Retention

We retain personal data only as long as necessary for the purposes outlined:

  • Account Data: We keep your account information while your account is active. If you delete your account or terminate the contract, we will delete or anonymize personal data associated with your account, except for data we are required or justified to keep longer (see below). For example, we will erase your saved links, click analytics, profile information, etc., typically within a short period after account deletion.

  • Link Analytics Data: We implement data retention limits for click analytics:

    • For Free and Pro (Creator Plus) plan users, detailed click logs (individual IPs, etc.) are retained for a limited time (e.g., 90 days). Older detailed records are automatically deleted or aggregated. Summary statistics may be kept longer, but without personal identifiers.

    • For Business Pro users, we retain analytics data for a longer duration (potentially for the life of the subscription or a year or more) since one of the plan features is extended analytics history. Still, we won’t keep personal data indefinitely without need – if a Business Pro account terminates, we will eventually purge or anonymize their click data as well.

    • If you downgrade from a higher plan to a lower one, we may reduce retention accordingly (for instance, if moving from Business Pro to Free, we may delete detailed data older than 90 days). We will notify you of any significant data removal in such cases.

  • Transaction Records: We keep billing records, invoices, and payment transaction data as required by German commercial and tax law (usually 10 years retention for invoices). This will include your name, business details, and transaction amounts on invoices, as those are legal records.

  • Communications: Emails or support tickets may be retained for a period to track our customer service history, but we periodically purge old communications that are no longer needed.

  • Logs: Raw server logs are generally kept for a short period (a few weeks) unless needed for security analysis. We may keep security-relevant logs (e.g., records of significant attacks or unauthorized access attempts) longer until resolved. In general, logs are cleaned or anonymized routinely.

After the applicable retention period, we will securely delete or anonymize personal data. Anonymized data (which is no longer associated with an identifiable individual) may be retained indefinitely for statistical purposes without further notice.

7. Data Subject Rights

As our Service is B2B, most data we hold is business-related. However, to the extent GDPR or other data protection laws apply, individuals have the following rights regarding their personal data:

  • Right of Access: You can request a copy of the personal data we hold about you, along with information on what we use it for and with whom it’s shared.

  • Right to Rectification: If any personal data we have is incorrect or incomplete, you have the right to have it corrected or updated.

  • Right to Erasure: You can request deletion of your personal data. For example, if you have an account, you may delete it and we will erase personal data (except data we must keep for legal reasons). If you are an end-user who clicked a link and somehow your data was collected by us (like your IP in logs), you may contact us to request deletion. However, in most cases your data is anonymous to us (we likely wouldn’t know who you are just from an IP). We will honor valid deletion requests whenever possible.

  • Right to Restrict Processing: In certain circumstances, you can ask us to limit how we use your data (e.g., while a complaint is being resolved).

  • Right to Data Portability: You can request your personal data in a commonly used machine-readable format. For account owners, you can export your data (links, analytics) from the dashboard. We can also assist in exporting account data on request.

  • Right to Object: You can object to processing based on our legitimate interests, including profiling. For example, you can object to marketing emails – if so, we will stop sending them. If you object to us processing your link click data for analytics, note that usually we process that as a processor for our customer, in which case we would forward your objection to the relevant customer (the link creator).

  • Right not to be subject to automated decisions: We do not make any legally significant decisions about individuals purely by automated means without human involvement.

To exercise any of these rights, please contact us at [email protected]. We may need to verify your identity (to ensure we don’t give your data to someone else). We will respond within the timeframe required by law (under GDPR, usually within one month). If you are an end-user of one of our customers (i.e., you clicked their link), and you contact us, we may refer your request to that customer if they are the data controller for your data.

If you believe we have not complied with your data protection rights, you have the right to lodge a complaint with a supervisory authority in the EU (for example, the Datenschutzbehörde in Germany, or your local EU regulator).

8. Data Controller and Processor Roles (GDPR)

As mentioned, for most data we have a dual role:

  • For data about our direct customers and website visitors, EU.PE (Digital Marketing Agency ROMBEY) is the Data Controller – we determine the purposes and means of processing that data (e.g., account info, our own analytics).

  • For data that our customers collect through their use of our Service (like information on people clicking their links), the customer is the Data Controller and we act as a Data Processor on their behalf. We process that data only according to the customer’s instructions (as given by their use of our platform features) and not for our own independent purposes beyond providing the service.

We offer a Data Processing Agreement (DPA) to our customers to satisfy GDPR Article 28 requirements. This DPA outlines how we handle data as a processor, our security measures, and our commitments (confidentiality, assisting with data subject requests, etc.). Business customers who need a signed DPA can contact us to execute one.

In practical terms, this means:

  • If you are a business using EU.PE, you should ensure you have a lawful basis (e.g., consent or legitimate interest) to collect analytics on your users via our Service. You should also provide appropriate privacy notice to your users that you use EU.PE for link tracking.

  • We, as processor, will only use the link visitor data to provide you with the service and will follow the obligations in our DPA/GDPR (such as implementing security and not sharing the data except as you direct, etc.).

9. Security Measures

We employ appropriate technical and organizational security measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These include:

  • Encryption of data in transit (HTTPS TLS encryption for all interactions with our website, APIs, and redirects).

  • Firewalls and access controls on our servers and databases – only authorized personnel have access to systems storing personal data.

  • Regular software updates and security patches to address vulnerabilities.

  • Backups of data to prevent loss, stored securely.

  • Monitoring of our systems for suspicious activity and response plans for potential incidents.

  • If applicable, two-factor authentication for administrative access to our systems and encouraging strong passwords for user accounts.

While we strive to protect data, no system can be 100% secure. In the event of a data breach that poses a risk to personal data, we will follow applicable breach notification laws, including notifying affected customers or users and authorities as required.

10. Children’s Privacy

Our Service is not intended for use by children. We do not knowingly collect personal data from anyone under 18 (or the applicable age of majority). Business customers are expected to be adults or legally established entities. If we become aware that a minor has provided us with personal information, we will delete it. If you believe a child has signed up or data of a child has been improperly collected, please contact us.

11. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our Service or legal obligations. If we make material changes, we will notify our users by posting a prominent notice on our site or by emailing registered account holders. The “Last updated” date at the top will always indicate the latest revision. We encourage you to review this Privacy Policy periodically. Continued use of the Service after any changes signifies your acceptance of the revised Policy.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how your personal data is handled, please contact us:

  • Email: [email protected]

  • Postal Mail: Digital Marketing Agency ROMBEY, Attn: Data Protection, Theodor-Körner-Str. 29, 41812 Erkelenz, Germany.

We will be happy to assist and address any issues to the best of our ability.