Privacy policy
This is the privacy policy for Compress Me, the URL-shortening service at comprs.me. We've tried to write it in plain English. If anything is unclear, email privacy@comprs.me.
Who we are
Compress Me is operated by Chris South, a sole trader based in the United Kingdom. References to "we", "us" and "our" mean Compress Me.
What data we collect
When you shorten a URL (with or without an account)
- The destination URL you submit
- Your IP address (kept for abuse prevention)
- The date and time
When you create an account
- Your email address
- A bcrypt hash of your password (we cannot recover or read your actual password)
- Your IP address at signup and each login (for security and abuse prevention)
- The user-agent of your browser when issuing a "remember me" cookie
When you subscribe to a paid plan
- Your subscription status, plan, and billing period dates
- A Stripe customer reference (used to look up your subscription with Stripe)
- Your card details are submitted directly to Stripe and never touch our servers
When someone clicks one of your short links
- The clicker's IP address
- Browser user-agent
- Referring URL (if their browser sends one)
- Timestamp
This data is associated with the link itself for click counts and analytics, including a country-level breakdown shown to paid-tier users. Country is derived from the IP address using a local lookup database — we do not send IP addresses to any third party for this.
What we deliberately don't collect
- No third-party tracking pixels or analytics scripts on the site
- No advertising network cookies
- No cross-site identifiers
How we use this data
- To operate the service: resolve short links to long URLs, count clicks, let you log into your account, show you analytics.
- To prevent abuse: rate-limit per IP, screen URLs against blocklists like URLhaus, and review reports of malicious links.
- To send transactional email: email verification at signup, password reset, billing notifications (receipts, subscription changes, cancellation confirmations), and security notifications. We do not send marketing email.
Where your data lives
Application data is stored on servers operated by Hetzner Online GmbH in Germany. Email is processed by our hosting provider Heart Internet, located in the United Kingdom. Payment data is processed by Stripe Payments Europe Limited, based in Ireland. The UK, EU member states, and Ireland operate equivalent data-protection regimes (UK GDPR and EU GDPR, recognised by adequacy decisions in both directions), so transfers between them are treated the same as data staying within either jurisdiction.
How long we keep your data
- Account data: for as long as your account is active. If you delete your account, all your data is removed after a 30-day grace period, during which you can sign back in to restore the account.
- Short links and click logs: short links are kept for as long as they exist (until they expire or are deleted). Click logs are kept for your plan's analytics window — 90 days on Free, 365 days on Starter, and for the life of the link on Pro and Business — after which older click rows are deleted automatically. Links created without an account follow the 90-day Free window for click data. Deleting a link deletes its click data; deleting your account deletes all your links and their click data.
- Billing records: retained for at least 6 years after the last payment, as required by UK tax law. This obligation is independent of account deletion.
- Rate-limit records: 24 hours.
- Abuse reports: indefinitely (we need a long-term record of malicious patterns).
- Email-verification and password-reset tokens: deleted automatically once used or expired.
Who we share data with
We do not sell your data to anyone. We share data only with:
- Hosting providers (Hetzner, Heart Internet) strictly to operate the service.
- Stripe Payments Europe Limited processes payments for paid plans. Your card details are submitted directly to Stripe and never reach our servers. Stripe is PCI-DSS compliant. See Stripe's privacy policy for what they do with that data.
- Abuse-prevention services like hCaptcha (for bot protection on forms), URLhaus (we read from their public blocklist; we do not send your URLs to them), and Google Web Risk (we send the destination URL to Google to screen it for malware and phishing).
- Law enforcement if we receive a valid legal request such as a court order.
Your rights under UK GDPR
If you're in the UK or EU, you have the following rights:
- Access: request a copy of the data we hold about you
- Correction: ask us to fix anything that's wrong
- Deletion: ask us to delete your data (you can do this yourself from your account settings)
- Portability: ask for a copy of your data in a machine-readable format
- Objection: object to particular kinds of processing
- Complaint: complain to the UK ICO (ico.org.uk) if you think we're handling your data badly
To exercise any of these rights, email privacy@comprs.me from the email address registered on your account. We'll respond within 30 days.
Cookies
We use the following cookies:
- Session cookie — keeps you logged in within a browser session (essential).
- "Remember me" cookie — keeps you logged in for up to 90 days, if you tick the box at login (essential).
- CSRF token — protects forms from cross-site request forgery (essential).
- hCaptcha cookie — set by hCaptcha to detect bots when you submit forms (essential).
We don't use cookies for tracking or advertising. Because all our cookies are strictly necessary for the service to function, we don't show a cookie consent banner under the UK PECR rules.
Children
Compress Me is not directed at children under 13, and we don't knowingly collect data from anyone under 13. If you're a parent or guardian who believes your child has signed up, email us and we'll delete the account.
Changes to this policy
We'll update this page when our practices change. For substantial changes (anything that affects what we collect or how we use it), we'll email account holders before the change takes effect.
Contact
Email privacy@comprs.me for any privacy question or request. For abuse reports, use abuse@comprs.me or the report form.