Privacy Policy

Last updated: April 2026

1. Introduction

PlinCode.ink ("we", "us", "our") is a URL shortening service operated by PlinCode di Daniele Barbaro, based in Italy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website at plincode.ink and plin.codes, our APIs, and all related services (collectively, the "Service").

We are committed to protecting your privacy in accordance with the General Data Protection Regulation (EU 2016/679, "GDPR") and applicable Italian data protection legislation.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, please do not use the Service.

2. Data Controller

The data controller responsible for your personal data is:

PlinCode di Daniele Barbaro

Italy

Email: info@plincode.ink

3. Data We Collect

3.1 Account Data

When you register for an account, we collect:

  • Email address, used for authentication, account management, and essential communications.
  • Password (stored in hashed form, never in plain text).
  • Name (if provided).

3.2 Link and Workspace Data

When you create short links, we store:

  • The destination URL you provide.
  • The generated short code.
  • Custom aliases or slugs (if any).
  • Expiration dates and link settings.
  • Workspace and project associations.

3.3 Click Analytics Data

When someone clicks on a short link, we collect:

  • IP address, used to determine approximate geographic location (country, city). IP addresses are not stored in raw form after geolocation processing.
  • User agent string, used to determine browser, operating system, and device type.
  • Referrer URL, indicating where the click originated.
  • Timestamp of each click.
  • Country and city (derived from IP via GeoIP lookup).

3.4 Billing Data

If you subscribe to a paid plan, payment information (credit card details, billing address) is collected and processed directly by Stripe. We do not store full payment card details on our servers. We may store:

  • Stripe customer and subscription identifiers.
  • Plan type and subscription status.
  • Invoice history references.

3.5 Technical Data

When you interact with the Service, we may automatically collect:

  • Server logs (IP address, request URL, timestamps).
  • Browser type and version.
  • Device type and operating system.

4. Purpose and Legal Basis

We process your personal data for the following purposes:

Purpose Legal Basis (GDPR Art. 6)
Providing and operating the Service Performance of contract (Art. 6(1)(b))
User authentication and account management Performance of contract (Art. 6(1)(b))
Click analytics and traffic statistics Legitimate interest (Art. 6(1)(f))
Processing payments and subscriptions Performance of contract (Art. 6(1)(b))
Preventing abuse and ensuring security Legitimate interest (Art. 6(1)(f))
Compliance with legal obligations Legal obligation (Art. 6(1)(c))

5. Third-Party Services

We rely on the following third-party service providers to operate the Service. Each provider processes data in accordance with their own privacy policy:

  • Stripe, Inc. processes payment data for paid subscriptions. Stripe acts as an independent data controller for payment information.
    Privacy policy: stripe.com/privacy
  • Cloudflare, Inc. provides CDN, DDoS protection, and DNS services. Cloudflare may process request metadata (IP addresses, headers) for security purposes.
    Privacy policy: cloudflare.com/privacypolicy
  • MaxMind, Inc. provides the GeoLite2/GeoIP database used to determine geographic location from IP addresses. No personal data is transmitted to MaxMind; we use a locally hosted database.
    Privacy policy: maxmind.com/en/privacy-policy

6. Cookies and Similar Technologies

The Service uses the following types of cookies:

  • Essential cookies: required for authentication, session management, and CSRF protection. These cookies are strictly necessary for the Service to function and cannot be disabled.
  • Security cookies: used by Cloudflare for bot detection and DDoS protection.

We do not use advertising cookies, tracking cookies, or third-party analytics cookies. We do not participate in cross-site tracking or ad networks.

7. Data Retention

We retain your data according to the following policies:

  • Account data: retained for the duration of your account. Upon account deletion, your data is permanently removed within 30 days.
  • Short links: retained until they expire (if an expiration date is set) or until you delete them. Expired links are purged automatically.
  • Click analytics: aggregated analytics are retained for the lifetime of the associated link. Raw click data may be pruned periodically.
  • Server logs: retained for a maximum of 90 days, then automatically deleted.
  • Billing records: retained as required by applicable tax and accounting regulations (typically up to 10 years under Italian law).

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption in transit (TLS/HTTPS for all connections).
  • Encryption at rest for sensitive data.
  • Secure password hashing using industry-standard algorithms.
  • Regular security updates and patching.
  • Access controls and principle of least privilege.

While we take reasonable precautions, no method of transmission or storage is completely secure. We cannot guarantee absolute security of your data.

9. Your Rights Under GDPR

As a data subject, you have the following rights under the GDPR:

  • Right of access (Art. 15): you may request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): you may request correction of inaccurate or incomplete personal data.
  • Right to erasure (Art. 17): you may request deletion of your personal data ("right to be forgotten"). You can delete your account and all associated data from your dashboard settings.
  • Right to restriction (Art. 18): you may request that we restrict the processing of your data in certain circumstances.
  • Right to data portability (Art. 20): you may request your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21): you may object to the processing of your data based on legitimate interest.
  • Right to withdraw consent (Art. 7(3)): where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, please contact us at info@plincode.ink. We will respond within 30 days as required by the GDPR.

You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) at garanteprivacy.it.

10. International Data Transfers

Some of our third-party service providers (Stripe, Cloudflare) are based in the United States. Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as:

  • EU-U.S. Data Privacy Framework certification.
  • Standard Contractual Clauses (SCCs) approved by the European Commission.

11. Children's Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us at info@plincode.ink and we will promptly delete the data.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the Service or by email. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us: