Privacy Policy
Last updated: 2026-05-21 · data controller: esej.space (Poland)
Short and simple
cutty.dev is a link shortener. We collect the minimum needed to operate: your email (if you log in), hashed IP (to protect against abuse), and basic data about link clicks (how many, from where, on which device). We keep everything on our own server in Poland. We don't sell data, don't profile for ads, don't send newsletters you didn't order.
1. Who processes your data
The administrator is esej.space (individual running the service, Poland). Contact: [email protected]. Hosting: own server in Poland (Unraid + Docker), local backups.
2. What we collect and why
| Data | Why | How long |
|---|---|---|
| Login and transactional notifications (PIN, password reset) | Until account deletion | |
| Hash IP (SHA-256 with salt) | Protection against abuse, counting unique clicks | 365 days (clicks) / 1h (cache limit) |
| User-agent + referer + country (from Cloudflare) | Link statistics (where people click, which browsers they use) | 365 days |
| Your links and endings | Service operation (redirect) | Indefinitely (ending never returns to pool) |
| Session cookies | Login session, unlocking password-protected links | 30 days / 24h |
| Anonymous cookie (cutty_anon) | So you can take over links created before logging in to your account | 365 days |
| Language cookie (cutty_locale) | Remembers your language choice after clicking PL/EN in the footer | 365 days |
WE DO NOT COLLECT: full IP address, phone number, address, biometric data, browsing history outside cutty.dev, GPS location.
3. Third parties
- Cloudflare (CDN and tunnel) — mediates HTTPS traffic, sees IP address and headers. Policy: cloudflare.com/privacypolicy
- Resend (transactional email, Ireland, eu-west-1) — sends you PIN codes and notifications. Sees recipient's email. Policy: resend.com/legal/privacy-policy
- Google / Facebook (optional login) — only if you choose "Log in with Google/Facebook". We receive email, name, and avatar address.
- Matomo (self-hosted on stats.esej.space) — anonymous analytics of traffic on the homepage (DOES NOT track your users' links). You can disable it in the cookies banner below.
4. Your rights (GDPR)
- Access and export — in the dashboard → Download CSV (all your links)
- Correction — edit links; delete account via email contact
- Deletion — request at [email protected], fulfilled within 30 days. Endings of your links will remain permanently blocked (never return to pool), but without association to you
- Objection or limitation — contact
- Complaint — President of the Personal Data Protection Office (uodo.gov.pl), if you believe we are violating your rights
5. Security
- HTTPS everywhere (TLS via Cloudflare)
- Passwords hashed with bcrypt, sessions signed with HMAC
- SQLite databases encrypted at disk level (LUKS), local backups
- 2FA with OAuth providers, when available
- We don't log raw IP addresses — only hashes with salt, which doesn't leak from the database
6. Policy changes
All changes will be announced on this page (date at the top) and emailed to logged-in users 30 days before taking effect. You can then request data deletion.
7. Contact
Questions, GDPR requests, incident reports: [email protected]. We respond within 7 business days, GDPR requests max. within 30 days.
This document is not a substitute for legal advice. If you run a regulated business (medical, financial, B2C with special-category data), consult a lawyer before using cutty.dev for such content.