kurl

Privacy Policy

Last updated: 2026-05-08

kurl collects the minimum data needed and anonymizes by default. This policy follows GDPR Article 13 and Korea's PIPA.

1. What we collect

OAuth sign-in: email, provider (Google), signup date. Shortening: original URL, short code, expiry. Clicks: timestamp, User-Agent, Referer, IP with last octet masked, GeoIP-derived country/region/city.

2. Why

Service operation (redirect, stats), abuse protection, security incident response. Never sold or used for marketing.

3. Retention

Anonymous links auto-expire after 24h. Authenticated links persist until you delete. Expired links + their clicks are auto-cleaned 30 days after expiry. Account deletion erases everything immediately.

4. IP anonymization

Stored IPs are masked (IPv4 last octet / IPv6 beyond first two groups). Raw IPs exist transiently in memory and logs only — never written to the database.

5. Your rights

GDPR Article 17 (erasure) and Article 20 (portability) honored. Settings page exposes data download (JSON) and permanent account deletion.

6. Third parties

Google OAuth (email, name), Google Safe Browsing API (URL hashes for malware checks), MaxMind GeoLite2 (offline GeoIP — no outbound calls).

7. Cookies

One HttpOnly + Secure + SameSite=Strict cookie for the JWT refresh token. No analytics or ad cookies.

8. Contact

Data inquiries: GitHub issues or the operator's email.