1. Introduction
Your privacy matters. This Policy describes what we collect, why we collect it, how long we keep it, and the choices available to you. By using ilync, you acknowledge this Policy. If you do not agree, please do not use the Service.
Capitalized terms not defined here have the meanings in our Terms of Service.
2. Who we are
The Service is operated by MikeSoft Studio (“Operator”). For questions about this Policy or personal data, contact us via mikesoftstudio.com .
Where the General Data Protection Regulation (GDPR) or similar laws apply, MikeSoft Studio is the data controller of personal data processed to provide ilync, except where we process data solely on behalf of a business customer under a separate written agreement (in which case the roles will be set out in that agreement).
3. Scope of this Policy
This Policy applies to:
- The website at https://ilync.dev and related web apps (including account, docs, link-in-bio editor, and admin surfaces where applicable);
- Our HTTP API and developer tooling;
- Redirects through short links and visitors who open those links;
- Public link-in-bio pages hosted at paths such as
/@username; and - Communications related to the Service (for example abuse reports or support requests).
This Policy does not apply to third-party websites or apps you reach after leaving ilync (including destinations behind shortened links or social profiles linked from a bio page). Those services have their own privacy practices.
4. Categories of data we collect
4.1 Account and identity data
- Authentication identifiers from Firebase Authentication (for example Firebase UID);
- Email address, display name, and profile photo URL when provided by you or your identity provider (for example Google Sign-In);
- Account creation and sign-in metadata;
- Preferences you set in the product (for example theme preference stored locally in your browser).
4.2 Short-link and content data
- Original destination URLs, short codes (including custom codes), optional expiration times, visibility settings (public, unlisted, or private), and ownership/association to your account or API key;
- For private links: access grants associating other user identifiers with a link;
- Saved-link metadata you store while signed in (for example in Firebase Cloud Firestore under your user document);
- Link-in-bio profile data: username, display name, tagline, avatar URL, publish state, and the social/custom links you configure.
4.3 Usage, click, and technical data
- Click analytics for short links: approximate timestamps, derived platform/device category from User-Agent, and HTTP referrer when available;
- IP address and related request metadata for rate limiting, abuse prevention, security logging, and Service operation;
- API request metadata associated with API keys (for example last used time); we store API keys as irreversible hashes, not in plaintext after issuance;
- Diagnostic and performance telemetry from hosting and analytics providers (see Section 8).
4.4 Safety and moderation signals
- Results of automated destination checks (for example blocked private networks, denylisted hosts, or optional reputation lookups) used to accept or reject a URL at creation time;
- Information you submit in abuse, safety, or rights requests (including the reported short code/URL and contact details).
4.5 Data we do not intentionally collect
We do not require government ID, payment card data, or precise GPS location to use core shortening features. We do not sell personal information. We do not use click analytics to build advertising profiles for sale to third parties.
5. How we collect data
- Directly from you — when you create links, sign in, mint API keys, edit a bio page, or contact us;
- Automatically — when browsers or clients call our servers, follow redirects, or load pages (logs, analytics, cookies / local storage);
- From identity providers — when you authenticate with Google or email/password via Firebase;
- From security/reputation tooling — optional server-side destination reputation checks may query a third-party API with the destination URL (not your account password).
6. How we use data
We process personal data to:
- Provide, operate, maintain, and improve the Service;
- Create and resolve short links; enforce expiration, privacy, and access-control settings;
- Authenticate users; maintain sessions; associate links, keys, and bio pages with accounts;
- Generate click statistics and display them to link owners or via documented APIs;
- Apply rate limits, detect fraud/abuse, block unsafe destinations, and protect the Service and other users;
- Communicate about the Service (for example security notices or material Policy/Terms changes);
- Comply with law, enforce our Terms, and respond to lawful requests;
- Analyze aggregated or de-identified usage to understand product performance (including via Vercel Analytics / Speed Insights where enabled).
7. Legal bases (EEA/UK and similar)
Where required, we rely on one or more of the following bases:
- Contract — to provide the Service you request (account features, API access, bio pages, short links);
- Legitimate interests — to secure the Service, prevent abuse, understand product reliability, and improve features, balanced against your rights;
- Consent — where we rely on consent (for example certain non-essential cookies or marketing, if introduced later), you may withdraw it at any time;
- Legal obligation — when we must retain or disclose data to comply with applicable law.
10. Retention
- Account data — kept while your account remains active and for a reasonable period afterward for security, backups, and legal claims;
- Short links — retained until deleted, expired and cleaned up, or removed for abuse/legal reasons;
- Click analytics — retained to power stats features and for a limited period for integrity/security; aggregated metrics may persist longer;
- API keys — hashed secrets and metadata retained until you revoke them or your account is closed, subject to security logs;
- Bio pages — retained until you unpublish/delete them or your account is closed;
- Logs & abuse records — kept for staggered periods appropriate to security and legal needs.
When retention ends, we delete or irreversibly anonymize data where feasible, subject to backup cycles and legal holds.
11. Security
We implement technical and organizational measures appropriate to the risk, including HTTPS in transit, least-privilege access to production systems, hashed API keys, authentication via Firebase, destination safety checks, and rate limiting against abuse.
No method of transmission or storage is perfectly secure. You are responsible for safeguarding account credentials and API keys, and for not placing confidential information in public link destinations or bio pages.
12. International transfers
We may process and store data in countries other than yours, including where our hosting, database, and Firebase services operate. Where required, we rely on appropriate transfer mechanisms (for example Standard Contractual Clauses or equivalent safeguards offered by our providers) and take steps to protect personal data in line with this Policy.
13. Your rights and choices
Depending on your location, you may have rights to access, correct, delete, or export personal data; to object to or restrict certain processing; to withdraw consent; and to lodge a complaint with a supervisory authority.
Practical ways to exercise choices:
- Update profile information in your account dashboard;
- Revoke API keys you no longer need;
- Edit or unpublish your link-in-bio page at /link;
- Remove saved links from your dashboard (note: removing a saved-link entry may not delete the underlying short link/redirect unless a dedicated delete is performed where available);
- Request deletion or other rights by contacting us via mikesoftstudio.com
California / similar U.S. state notices
We do not “sell” or “share” personal information for cross-context behavioral advertising as those terms are commonly defined under the CCPA/CPRA. We do not use sensitive personal information to infer characteristics beyond what is needed to provide the Service. You may contact us to exercise applicable rights; we will not discriminate against you for doing so.
14. Children’s privacy
The Service is not directed to children under 16 (or the minimum age required in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us and we will take appropriate steps to delete it.
15. Public content and third-party destinations
If you create a public or unlisted short link, or publish a bio page, information you include (URLs, usernames, avatars, button labels) may be accessible worldwide. Search engines or third parties may index or copy public pages.
When someone follows your short link, they leave ilync and become subject to the destination site’s privacy practices. You are responsible for ensuring you have the rights to publish the links and content you submit.
16. Automated decision-making and safety checks
We use automated rules and optional reputation lookups to help prevent shortening to private networks, reserved hosts, or known-unsafe destinations. These checks may result in a URL being rejected at creation time. They are security measures for the Service and other users, not credit scoring or similar profiling decisions with legal effect under Article 22 GDPR. If you believe a URL was rejected in error, contact us with details.
17. Changes to this Policy
We may update this Policy from time to time. We will post the revised version on this page and update the “last updated” date. Material changes may be highlighted in the product or communicated by other reasonable means. Continued use after the effective date constitutes acceptance of the updated Policy where permitted by law.
18. Contact
Operator website: mikesoftstudio.com
Related agreement: Terms of Service