Privacy Policy
Last updated: July 7, 2026
Our Privacy Commitment
At opn.onl, privacy isn't just a feature — it's a core value. We collect only what's necessary to provide our service, and we never sell your data to third parties.
Information We Collect
Account Information
- Email address (for authentication and account recovery)
- Password hash (we never store passwords in plain text)
- Passkey credentials (if you enable passwordless login)
Link Data
- Original URLs you shorten
- Custom aliases you create
- Creation timestamps
- Expiration dates (if set)
Analytics Data (collected when someone opens a short link)
- Click counts and timestamps
- A truncated IP address — we remove the last part of the address before storing it (IPv4: last octet zeroed; IPv6: reduced to /48). The full address is used only in memory to derive an approximate location and for rate limiting, then discarded.
- Approximate, city-level location (country, region, city and city-level coordinates) derived from the IP via a local geolocation database — your IP is never sent to a third party for this
- Browser, device type and operating system (parsed from the user agent, which is also stored temporarily — see retention below)
- Referrer URLs
How We Use Your Information
We use your information exclusively to:
- Provide the service: Redirect shortened links, manage your account, and display analytics.
- Prevent abuse: Detect spam, malicious links, and terms of service violations.
- Improve the product: Understand usage patterns to make opn.onl better (in aggregate, never individual).
- Communicate with you: Send account-related notifications (password resets, security alerts).
We do NOT: Sell your data, show you ads, track you across other websites, or share your information with third parties except as required by law.
Data Security
We take security seriously:
- All data is encrypted in transit (HTTPS/TLS)
- Passwords are hashed using bcrypt with appropriate cost factors
- Database access is restricted and monitored
- We support passkey authentication for passwordless security
- Regular security audits and updates
Data Retention & Deletion
We retain your data only as long as necessary to provide the service:
- Account data: Retained until you delete your account
- Link data: Retained until you delete the link or your account
- Per-visitor analytics identifiers: The truncated IP address and raw user-agent string of a click are automatically anonymized after 13 months by a scheduled job
- Aggregate analytics: Non-identifying dimensions (click counts, country, city, device type, browser, referrer) are retained for the lifetime of the link so your statistics keep working
- Backups: Encrypted database backups are rotated on a fixed schedule; deleted data ages out of backups as they rotate
Your rights
Depending on where you live (e.g. under the GDPR or similar laws), you have the right to access, correct, export, object to the processing of, and delete your personal data. Where self-service deletion is enabled you can delete your account from Settings; otherwise email us and we will process verified deletion requests within 30 days.
Legal bases we rely on: performance of a contract (providing the service you sign up for), and legitimate interest (abuse prevention, security, and aggregate, non-identifying analytics).
Cookies & Local Storage
We use your browser's local storage to keep you signed in (your session token). We do not use advertising cookies, cross-site tracking, or third-party analytics or tracking pixels on this site.
Service Providers We Rely On
We don't sell or share your data for marketing. The following infrastructure providers process data on our behalf, strictly to run the service:
- Cloudflare — network proxy, TLS and DDoS protection in front of our servers (sees connection metadata like your IP, as any network carrier does)
- MaxMind GeoLite2 — the IP-to-city database used for geographic analytics; lookups run entirely on our own servers, so your IP is never transmitted to MaxMind
- Email delivery provider — sends transactional email only (verification, password reset, security notices) to the address you registered
- Object storage (S3-compatible) — stores encrypted database backups
Contact Us
If you have any questions about this Privacy Policy or how we handle your data, please contact us at:
[email protected]This privacy policy is effective as of July 7, 2026. We may update this policy from time to time. We will notify you of any significant changes by email or through a notice on our website.
