Privacy Policy

1. Scope and Roles

This Privacy Policy explains how ShortURL.bot collects, uses, discloses, stores, and protects personal information when you use our websites, dashboard, short links, redirects, QR codes, hosted pages, forms, analytics, conversion tracking, domain services, API/MCP tools, AI features, billing, and support. The legal entity responsible for ShortURL.bot is Neurofinity AI Ltd., established in the Province of Alberta, Canada.

Because we are established in Alberta, we comply with Alberta's Personal Information Protection Act (PIPA) for personal information we collect from Alberta residents, with Canada's federal Personal Information Protection and Electronic Documents Act (PIPEDA) for commercial activities subject to federal jurisdiction, with Quebec's Act respecting the protection of personal information in the private sector (Law 25) for personal information of Quebec residents, and with privacy laws in other jurisdictions where they apply to our processing.

For account, billing, domain, abuse, safety, and platform operations data, we generally act as an independent controller. For form responses, customer-imported data, customer pages, conversion events, and similar data we process on behalf of business customers, we may act as a processor or service provider under our Data Processing Addendum.

2. Information We Collect

• Account and identity data: name, email address, login identifiers, authentication provider data, workspace membership, roles, preferences, language, and support contacts.
• Billing data: plan, subscription status, invoices, receipts, payment method metadata, taxes, billing address, chargeback and refund records. Full card numbers are handled by Stripe or other payment processors, not stored by us.
• Service content: long URLs, short links, custom back-halves, QR settings, uploaded images or files, hosted-page content, form definitions, form responses, Smart Replace input/output, AI prompts and outputs you submit or keep, and related metadata.
• Domain data: domain search queries, selected domains, DNS verification records, registrant contact profiles, renewal settings, registrar/registry status, and domain-order history.
• Usage and analytics data: click, scan, page-view, form-response, conversion, device, browser, referrer, approximate location, campaign, attribution, bot-filtering, masked IP, user-agent, and timestamp data.
• API and security data: API key metadata, hashed or partial key identifiers, request logs, rate-limit counters, audit logs, member actions, abuse signals, safety-scan results, blocked URLs, and system diagnostics.
• Communications: support messages, feedback, screenshots you submit, survey responses, and email preferences.

3. Sources

We collect information from you, your team members, your visitors and respondents, your use of the Service, browsers and devices, authentication providers, payment processors, domain providers, safety and abuse providers, AI providers, analytics tools, and other service providers. Customers may also send us personal information through APIs, MCP tools, forms, conversion pixels, bulk imports, and integrations.

4. How We Use Information

• Provide, secure, troubleshoot, maintain, and improve the Service.
• Create and manage accounts, workspaces, team roles, API keys, subscriptions, invoices, domains, links, QR codes, pages, forms, and conversion configs.
• Process payments, renewals, refunds, taxes, chargebacks, and fraud checks.
• Route redirects, render public pages and forms, measure clicks/scans/views, attribute conversions, and produce analytics and exports.
• Run safety scans, abuse detection, spam prevention, rate limiting, blacklist checks, link review, security monitoring, and legal compliance workflows.
• Provide AI-assisted features, generate or analyze content at your request, and improve feature quality where permitted by law and provider terms.
• Send service notices, support responses, security alerts, billing notices, product updates, and marketing messages where permitted.
• Enforce our legal terms, protect users and third parties, respond to legal requests, and comply with applicable law.

5. Legal Bases

Where laws such as the GDPR or UK GDPR apply, our legal bases may include performance of a contract, legitimate interests, consent, compliance with legal obligations, and protection of vital interests. Our legitimate interests include operating and securing the Service, preventing abuse and fraud, improving features, supporting customers, enforcing terms, and measuring product performance.

6. Cookies and Tracking

We use cookies, local storage, pixels, scripts, and similar technologies for authentication, security, preferences, analytics, product improvement, abuse prevention, and conversion tracking. Details are in our Cookie and Tracking Policy.

If you install our conversion script, publish forms, use hosted pages, or track visitors through links or QR codes, you are responsible for providing your own notices and obtaining legally required consent from your visitors, respondents, customers, and end users.

7. AI and Automated Processing

AI features may send prompts, URLs, screenshots, page text, images, or related context to AI providers so they can generate or analyze requested outputs. Safety systems may automatically classify, score, block, disable, or route links and content for review. These tools support platform safety and product functionality but should not be treated as legal, financial, medical, or professional advice.

We use AI providers on terms that exclude customer inputs and outputs from being used to train third-party foundation models, and we configure zero-retention or short-retention API paths where the provider offers them. AI features are optional for many workflows, and customers can avoid sending content to AI providers by not using AI features. Automated safety scoring is informational and does not replace human review for material decisions about an account, link, form, or page.

Where content is generated or meaningfully altered by AI, we surface an AI-generated indicator to end users in line with Article 50 of EU Regulation 2024/1689 (the EU AI Act) and equivalent transparency laws. For AI-generated or AI-edited images, assets, and QR designs we apply machine-readable marking where feasible.

8. How We Disclose Information

We may disclose information to service providers and subprocessors that host, secure, authenticate, bill, email, monitor, scan, analyze, support, register domains, or provide AI and other functions for the Service. Our current public list is available on the Subprocessors page.

We may also disclose information to workspace owners and admins, team members according to their roles, domain registrars and registries, payment processors, abuse and reputation networks, professional advisers, business transferees, law enforcement, regulators, courts, or other parties where required or permitted by law, necessary to protect rights and safety, or needed to enforce our terms.

Authorized ShortURL.bot support, security, and administrative personnel may access a customer account, workspace, dashboard session, or customer content for limited support, security, abuse-response, billing-investigation, or system-maintenance purposes, including through an impersonation session. Such access is limited to what is necessary, is restricted to personnel bound by confidentiality obligations, and is recorded in audit logs visible to workspace owners where the audit-log feature is available to that plan.

9. Customer-Controlled Data

Business customers decide what data they collect through forms, conversion tracking, hosted pages, links, QR codes, APIs, and MCP tools. Those customers are responsible for their own privacy notices, consent, lawful basis, retention instructions, and responses to their visitors and respondents. If you are a visitor or respondent interacting with a customer's link, page, form, or pixel, contact that customer for requests about data they control.

10. Retention

We retain personal information for as long as needed to provide the Service, comply with legal obligations, resolve disputes, enforce agreements, prevent abuse, maintain security, and support business records. Retention may vary by plan and feature. Analytics history, click detail, conversion events, audit logs, form responses, domain records, billing records, abuse evidence, and backups may have different retention periods.

When you delete content or close an account, we will delete or de-identify data according to our operational schedules unless retention is needed for legal, billing, tax, security, abuse-prevention, backup, or legitimate business purposes.

11. International Transfers

We are based in Canada and use service providers that may process information in Canada, the United States, the European Economic Area, the United Kingdom, and other jurisdictions. Where required, we use safeguards such as contractual commitments, data processing terms, and standard contractual clauses or equivalent transfer mechanisms.

If you are a resident of Quebec or another jurisdiction that requires explicit consent for the transfer of personal information outside your province or country, by creating an account, making a purchase, or using the Service, you expressly consent to the collection, processing, storage, and transfer of your personal information to and within Canada, the United States, the European Economic Area, the United Kingdom, and any other jurisdiction where we or our service providers operate, for the purposes described in this Privacy Policy. You may withdraw this consent at any time by closing your account and contacting us, subject to legal, billing, security, and legitimate retention obligations.

12. Security

We use administrative, technical, and organizational safeguards designed to protect personal information, including authentication controls, access controls, logging, monitoring, encryption in transit where supported, abuse controls, and provider security measures. No system is perfectly secure, and we cannot guarantee absolute security.

13. Your Rights and Choices

Depending on your location and relationship with us, you may have rights to access, correct, delete, export, restrict, object to, or withdraw consent for certain processing of your personal information. You may also have rights to complain to a privacy regulator. To make a request, contact us through the Help Center or at admin@shorturl.bot. We may need to verify your identity and may direct you to the relevant customer when we process data on that customer's behalf.

Residents of U.S. states with comprehensive privacy laws — currently including California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, Indiana, Tennessee, New Jersey, Minnesota, Maryland, Kentucky, New Hampshire, Rhode Island, and any additional U.S. state where a comprehensive privacy law has taken effect — may have rights to know, access, correct, delete, port, opt out of sale or sharing or targeted advertising, limit use of sensitive personal information, and non-discrimination for exercising those rights. We do not sell personal information for money. Some analytics or advertising technologies may be considered sharing or targeted advertising under these laws depending on configuration; see our Cookie and Tracking Policy for controls.

14. Minors

The Service is not directed to minors. Accounts may only be created by individuals who are at least 18 years old and able to form a binding contract under the laws of their jurisdiction. We do not knowingly collect personal information from anyone under 18. If you believe we have collected personal information from a user under 18, contact us and we will delete it without undue delay.

If you use the Service to operate forms, hosted pages, conversion tracking, or short links that may be encountered by minors, you are responsible for obtaining required parental consent and complying with children's-privacy laws that apply to your use case (including, where applicable, the US Children's Online Privacy Protection Act (COPPA), the UK Age Appropriate Design Code, and equivalent laws).

15. Communications

You may opt out of marketing emails by using unsubscribe links where available. We may still send transactional, billing, security, legal, abuse, and service-related messages.

Transactional and relationship messages — including account confirmations, billing and renewal notices, security alerts, password and authentication messages, abuse and policy notices, domain-registration communications, form-response notifications to form owners, and service-status updates — are sent under the transactional and relationship-message exemptions of Canada's Anti-Spam Legislation (CASL) and equivalent laws and do not require separate opt-in consent.

16. Changes

We may update this Privacy Policy from time to time. The updated version is effective when posted unless a later date is stated. We may provide additional notice for material changes where required.

17. Quebec Residents and Automated Decision-Making

If you are a resident of Quebec, Quebec's Act respecting the protection of personal information in the private sector (Law 25) provides additional rights. In addition to the rights listed in Section 13, you have the right to be informed when a decision about you is based exclusively on automated processing, to request the main factors and parameters used in that decision, and to ask that the decision be reviewed by a human. You also have the right to the discontinuance of dissemination of personal information about you and to de-indexing in accordance with applicable law.

Automated processing used by the Service includes: AI-assisted link safety review and classification, automated abuse and phishing detection, rate-limit and bot filtering, and AI-generated content suggestions and summaries. These systems support platform safety and feature quality and are not, by themselves, used to deny you access to the Service without human involvement where Law 25 requires a human-review option.

To exercise Quebec-specific rights, contact us at admin@shorturl.bot and identify yourself as a Quebec resident. You may also file a complaint with the Commission d'accès à l'information du Québec.

18. Contact and Privacy Officer

Privacy questions and requests can be sent through the Help Center or to admin@shorturl.bot.

Under PIPEDA and Quebec Law 25, we have designated a person accountable for our compliance with applicable privacy laws. You can reach our Privacy Officer at admin@shorturl.bot with the subject line "Privacy Officer". The Privacy Officer acts as the point of contact for data-subject requests, privacy complaints, and regulator inquiries under the laws of Canada, Quebec, the European Economic Area, the United Kingdom, and other jurisdictions where applicable.

ShortURL.bot