Privacy Policy

1. Introduction

This Privacy Policy describes data collection and usage for self-hosted deployments. Customize this template for your deployment.

2. Information We Collect

2.1 API Keys

API keys authenticate requests to create shortened URLs. Your actual API key is never stored. Instead, we use HMAC-SHA256 (a secure hashing algorithm) with a server-side secret to create an irreversible hash. We store:

• Key hash (a cryptographic fingerprint that cannot be reversed to recover the original key)
• Unique identifier, creation timestamp, optional note, and whether the key has been revoked

2.2 URLs

When creating a shortened URL, we store:

• Original URL, 12-character code, creation timestamp, expiration timestamp (optional), creator key ID

2.3 Rate Limiting

To prevent abuse and ensure fair usage, we limit requests to 10 per minute per IP address or API key. We temporarily store:

• IP addresses (your device's network address) and request counts, stored only for 1-minute time windows

2.4 Browser Extension

The browser extension stores data locally on your device (never sent to our servers):

• API key stored in browser sync storage (syncs across your devices if you're signed into your browser)
• Link history (up to 50 most recent shortened URLs) stored locally: includes the short URL, original URL, and expiration time

3. How We Use Information

• URLs are stored to enable redirection: when someone visits a short code, they are redirected to the original URL
• API key hashes verify that requests to create links are authorized
• Rate limiting (10 requests/min per IP/key) prevents abuse and denial-of-service attacks
• SSRF protection (Server-Side Request Forgery prevention) blocks URLs that point to private networks or localhost, preventing security vulnerabilities

We do not collect analytics, track who clicks on links, collect user information, or use cookies for tracking.

4. Data Retention

• URLs: Retained until expiration (default: 14 days if no expiration is set) or manual revocation. Expired links are automatically deleted from the database. Revoked links are marked as revoked but retained for audit purposes.
• API Keys: Retained indefinitely until manually revoked by an administrator. Revoked keys are marked as revoked but retained in the database for audit and security purposes.
• Rate Limits: Rate limit data is stored for 1-minute windows and automatically expires after each window ends. Old rate limit entries are automatically cleaned up.
• Browser Extension: Link history is limited to 50 entries. Expired links are automatically removed from the history. All extension data remains on your device until you manually clear it through browser settings or uninstall the extension.

5. Self-Hosting

This application is designed for self-hosting. You control all data, API keys, and privacy practices.

5.1 API Key Management

Generate keys using admin scripts:

• npm run admin:create-key [note] - Create key (shown once)
• npm run admin:list-keys - List keys
• npm run admin:revoke-key <key_id> - Revoke key

5.2 Environment Variables

• DATABASE_URL: PostgreSQL connection string (required)
• API_KEY_PEPPER: Secret for hashing API keys (required)
• MAX_TTL_SECONDS: Maximum link TTL in seconds (optional, default: 14 days)

6. Data Sharing

We do not sell or share data with third parties. When self-hosting, you control which services process your data. This application operates independently and does not require external services.

Information may be disclosed if required by law or valid legal requests.

7. Security

• HTTPS/TLS encryption ensures all data transmitted between your device and our servers is encrypted
• API keys are hashed using HMAC-SHA256 (a secure cryptographic hash function) and never stored in plaintext - even if the database is compromised, your API keys cannot be recovered
• Constant-time comparison when verifying API keys prevents timing attacks that could potentially reveal key information
• SSRF protection: URLs are validated by resolving DNS and blocking any that point to private IP addresses (like localhost or internal networks), preventing security vulnerabilities
• Rate limiting restricts requests to 10 per minute per IP address or API key, preventing abuse and denial-of-service attacks

8. Browser Extension

Permissions:

• activeTab: Read current tab URL
• storage: Store API key (sync) and history (local)
• clipboardWrite: Copy shortened URLs
• host_permissions: Communicate with API endpoint

All data stored locally on your device. No tracking or telemetry. The extension can be configured for any self-hosted instance.

9. Your Rights

• Access: You may request a copy of all data (URLs and API key metadata) associated with your API keys by contacting your deployment administrator
• Deletion: API keys and links can be revoked at any time using admin scripts (npm run admin:revoke-key and npm run admin:revoke-link). Browser extension data can be cleared through your browser's settings or by uninstalling the extension
• Correction: Since we only store URLs and hashed keys, there is no mechanism to "correct" data. You can revoke and recreate links if needed

10. GDPR and CCPA Compliance

As a self-hosted application, you are the data controller and responsible for compliance.

10.1 GDPR (EEA)

Users have the right to access, rectification, deletion, data portability, object to processing, and withdraw consent.

10.2 CCPA (California)

Users have the right to know what personal information is collected, delete personal information, and opt-out of sale (we do not sell data).

11. Children's Privacy

Not directed to individuals under 13. We do not knowingly collect personal information from children under 13.

12. Contact

For questions about this policy template or the application:

• GitHub: github.com/AndrewN04/url-shortner

13. Changes to This Policy

This policy may be updated. The "Last Updated" date indicates when changes were made. Continued use after changes constitutes acceptance.