Privacy Policy

Protected.cx (“we”, “our”, “us”) operates the website https://protected.cx and related sub-domains. This Privacy Policy explains how and why we collect, use, disclose and safeguard your personal data when you visit our site or use our free URL-shortening, QR-code, bio-page and analytics services (the “Services”). We act as a data controller for all personal data covered by this Policy and we process data in accordance with the EU General Data Protection Regulation (“GDPR”).
 

1. IMPORTANT CONTACT DETAILS
Data Controller: Protected.cx
E-mail: [email protected]
 

2. WHAT PERSONAL DATA WE COLLECT
2.1 Data you provide voluntarily
Username, e-mail address and password (encrypted) when you register
Any content you enter (original long URLs, titles, bio-page text, file uploads, etc.)
Feedback, support tickets or survey answers
2.2 Data generated when you use the Services
Short-link clicks, QR scans, bio-page views
IP address (anonymised to /24 for IPv4 and /48 for IPv6 after 24 h)
Browser type & version, device type, OS, language
Referrer header, timestamp, coarse geo-location (country/region)
Event data sent to optional tracking pixels you choose to connect (Facebook, GA, etc.)
2.3 Cookies & similar technologies
Essential cookies: session ID, CSRF token, authentication token
Analytics cookies: to count visits and detect abuse (Matomo, self-hosted)
Preference cookies: theme, language
Third-party cookies: only if you enable external pixels (see § 8)
You can accept or refuse non-essential cookies via the banner or withdraw consent at any time.
 

3. PURPOSES & LEGAL BASES FOR PROCESSING
Purpose:                                                                                     Legal basis (GDPR art.):
Account creation & authentication                                          Contract – Art. 6(1)(b)
Delivering shortened links, QR codes, bio pages                  Contract – Art. 6(1)(b)
Generating aggregated statistics for you                               Contract – Art. 6(1)(b)
Improving performance & security                                   Legitimate interests – Art. 6(1)(f)
Detecting or preventing abuse/fraud                               Legitimate interests – Art. 6(1)(f)
Storing your cookie preferences                                              Consent – Art. 6(1)(a)
Sending you service announcements (no marketing)     Legitimate interests – Art. 6(1)(f)
Complying with legal obligations                                     Legal obligation – Art. 6(1)(c)
(We do not make automated decisions that produce legal or similarly significant effects)
 

4. RETENTION PERIODS
Account data: until you delete your account + 30 days (backups erased within 180 days)
Raw click/log data: 90 days, then anonymised/aggregated
Anonymised statistics: kept indefinitely (no personal data)
Support tickets: 12 months after last reply
Server logs: 90 days
We review retention annually; data no longer needed is erased or anonymised.
 

5. YOUR RIGHTS UNDER GDPR
You may contact [email protected] to:
Access – receive a copy of your data (Art. 15)
Rectify – correct inaccurate or incomplete data (Art. 16)
Erase – “right to be forgotten” (Art. 17)
Restrict processing (Art. 18)
Data portability – export your links and statistics (Art. 20)
Object to processing (Art. 21)
Withdraw consent at any time (Art. 7)
We respond within one month (extendable by two). You also have the right to lodge a complaint with your local supervisory authority.
 

6. SHARING & INTERNATIONAL TRANSFERS
We never sell personal data. We only share it:
With hosting providers (EU-based) under GDPR (Art. 28)
With e-mail delivery services (EU or SCC-covered) to send account e-mails
When you activate third-party pixels (Facebook, Google, etc.) – their own policies apply
When legally required (court order, law-enforcement request)
If data leaves the EEA we rely on:
Adequacy decisions, or EU Standard Contractual Clauses (SCCs)
 

7. SECURITY MEASURES
HTTPS (TLS 1.3) on all pages
Passwords hashed with bcrypt + unique salt
Database encrypted at rest
Role-based access, MFA for staff
Regular security & penetration tests
24h incident-response procedure
 

8. THIRD-PARTY INTEGRATIONS
Our dashboard lets you connect analytics or advertising pixels (e.g., Meta, Google, LinkedIn). Activating them sends data directly to those providers; we become joint controllers or a processor depending on the integration. Their own privacy policies govern that onward transfer.
 

9. EXTERNAL LINKS
Shortened URLs may lead to third-party websites. We are not responsible for the content or privacy practices of those sites.
 

10. CHILDREN
The Services are not directed to children under 16. If we learn that such data has been collected, we will delete it promptly.
 

11. CHANGES TO THIS POLICY
We will post any material changes on this page with an updated “Last updated” date and, where significant, notify you by e-mail or in-app banner.
 

12. COOKIE DECLARATION (summary)

Name:           Type:        Duration:                          Purpose:
sess           1st party      Session         Authentication (strictly necessary)
csrf            1st party      Session          Security (strictly necessary)
matomo    1st party      13 months     Analytics (requires consent)
lang           1st party      1 year            Language preference (requires consent)
 

13. HOW TO EXERCISE YOUR RIGHTS OR MAKE A COMPLAINT
E-mail: [email protected]
 


BY CONTINUING TO USE PROTECTED.CX YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY.

 

Last Update: March, 2025