Privacy Policy
Last updated: 2026-05-23 · data controller: esej.space (Poland)
Plain language summary
cutty.dev is a URL shortener. We collect the bare minimum needed to run the service: your email (if you sign in), a salted hash of your IP (for anti-abuse), and basic click metadata (how many, from where, what device). Everything is stored on our own server in the EU. We don't sell your data, we don't profile you for ads, we don't send newsletters you didn't ask for.
1. Who processes your data
The data controller is esej.space (sole proprietor, Poland). Contact: hello@cutty.dev. Hosting: our own server in the EU. Daily backups.
2. What we collect and why
| Data | Purpose | Retention |
|---|---|---|
| Login + transactional notifications (sign-in PIN, password reset) | Until account deletion | |
| IP hash (salted) | Rate-limit (anti-bruteforce), unique click counting | 365 days (hits) / 1h (rate-limit cache) |
| User-agent + referrer + country | Link analytics (where clicks come from, what browsers) | 365 days |
| Your links + slugs | Service operation (redirection) | Indefinitely (slug never recycled) |
| Session cookies | Login session, password-unlock per link | 30 days / 24h |
| Anonymous cookie | So you can "claim" links you created before signing in | 365 days |
| Locale cookie | Remembers your language choice | 365 days |
We do NOT collect: raw IP, phone, address, biometric data, browsing history outside cutty.dev, GPS location.
3. Third-party processors
- Transactional email provider (EU) — sends you PINs and notifications. Sees recipient email.
- Google / Facebook OAuth (optional) — only if you choose "Sign in with Google/Facebook". We receive email + name + avatar URL.
- Self-hosted analytics — anonymous traffic counter for the landing page (does NOT track clicks on your links). Opt-out via the cookie banner.
For your safety we don't publicly document the specific vendors and providers we use; if you have a compliance question, email hello@cutty.dev.
4. Your rights (GDPR)
- Access + export — in dashboard → Download CSV (all your links)
- Rectification — link editing in the dashboard
- Erasure — delete your account in the dashboard (Account → Delete account) or email hello@cutty.dev. Your account data is removed. Your link slugs remain blocked (never reusable) but are unlinked from you and stop redirecting.
- Objection / restriction — contact us
- Complaint — Polish UODO (uodo.gov.pl) or your local EU DPA
5. Security
- HTTPS everywhere
- Passwords + session tokens hashed with industry-standard algorithms
- Daily database backups with rotation
- 2FA at OAuth providers where available
- No raw IP logging — only salted hashes
We deliberately don't document specific infrastructure details publicly — it's part of our security posture.
6. Policy changes
We'll publish any changes on this page (date at top) and notify signed-in users by email. You can request data deletion at that time if you disagree.
7. Contact
Questions, GDPR requests, incident reports: hello@cutty.dev.
This document is not a substitute for legal advice. If you run a regulated business (medical, financial, B2C with special-category data), consult a lawyer before using cutty.dev for such content.