Privacy Policy

Last updated: April 2026

1. Introduction

Webb.in (“we”, “our”, “us”) operates the URL shortening platform at webb.in, app.webb.in, dev.webb.in, blog.webb.in, support.webb.in, status.webb.in, and khur.am (collectively, the “Service”). This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use any part of the Service.

This policy complies with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the CPRA (CCPA), and other applicable data protection laws. By using the Service, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller

Webb.in is the data controller for personal data processed through the Service. For any privacy-related enquiries, contact us at privacy@webb.in.

3. Information We Collect

3.1 Account Information

When you register, we collect your email address and a password. Passwords are stored as one-way cryptographic hashes—never in plain text. If you join or create a Team, we also store your display name and role within that team.

3.2 Billing & Payment Data

When you subscribe to a paid plan (Professional or Business), payment is processed by Stripe, Inc. We do not store credit card numbers. Stripe provides us with a tokenised reference, your billing email, plan type, subscription status, and invoice history. See Stripe’s Privacy Policy.

3.3 URL & Link Data

When you shorten a URL we store: the destination URL, the generated short code, custom alias (if any), UTM parameters (source, medium, campaign, term, content), password protection hash, expiration settings, social preview metadata (OG title, description, image URL), and QR code configuration.

3.4 Click Analytics

When someone clicks a short link we collect in aggregate: timestamp, device type, browser name, operating system, approximate geographic location (country and city derived from the clicker’s IP address), HTTP referrer, and UTM parameters appended to the redirect. IP addresses are used solely for geo-lookup and are not stored or logged.

3.5 Custom Domains & SSL

When you add a custom domain we store the domain name, DNS verification status, and SSL certificate metadata (issued by AWS Certificate Manager). We do not access your domain registrar account.

3.6 Webhooks

If you configure webhooks, we store your endpoint URL and a signing secret. Event payloads (url.created, url.clicked, url.deleted) are transmitted to your endpoint over HTTPS and retained in a delivery log for 30 days.

3.7 Third-Party Integrations

If you connect Google Analytics 4, Meta Conversions API, or Google Tag Manager, we store the measurement/pixel ID you provide. Click events are forwarded server-side to these third parties on your behalf. We do not receive data back from these services. Their respective privacy policies govern data they collect:

3.8 SSO & Team Data

If your organisation uses SAML 2.0 SSO, your Identity Provider transmits your email, name, and role mapping to us during authentication. We store these attributes for session management. We do not access your IdP admin console.

3.9 Developer API

When you generate an API key we store a SHA-256 hash of the key, a label you assign, and usage metadata (request count, last used timestamp). The plain-text key is shown once at creation and is never stored.

4. Legal Bases for Processing (GDPR)

We process personal data under the following legal bases defined in GDPR Article 6(1):

  • Contract performance (Art. 6(1)(b)): Account creation, URL shortening, analytics, billing, custom domains, webhooks, integrations, Teams, SSO, API access.
  • Legitimate interest (Art. 6(1)(f)): Abuse prevention, service security, aggregate usage statistics, infrastructure monitoring.
  • Consent (Art. 6(1)(a)): Optional third-party analytics integrations (GA4, Meta CAPI, GTM) that transmit click data to third parties. You can withdraw consent at any time by disconnecting the integration.
  • Legal obligation (Art. 6(1)(c)): Tax record-keeping for paid subscriptions, responding to lawful data requests.

5. How We Use Information

  • To provide, maintain, and improve the URL shortening and redirection service
  • To display click analytics, UTM breakdowns, and geographic data to link owners
  • To authenticate users, manage accounts, and enforce role-based access within Teams
  • To provision and renew SSL certificates for custom domains
  • To deliver webhook event payloads to your configured endpoints
  • To forward click events to your connected third-party analytics integrations
  • To process payments and manage subscriptions via Stripe
  • To send transactional emails (account verification, password reset, billing receipts)
  • To prevent abuse, spam, and malicious use of the Service
  • To comply with legal and regulatory obligations

6. Cookies & Similar Technologies

6.1 Strictly Necessary Cookies

We use a session cookie containing a JSON Web Token (JWT) to authenticate you when you log in to app.webb.in. This cookie is first-party, HTTP-only, Secure, SameSite=Strict, and expires when your session ends. It cannot be used for cross-site tracking. No consent is required for strictly necessary cookies under GDPR or CCPA.

6.2 Cookie Consent Preferences

We store a webb_cookie_consent cookie to remember your cookie preferences. This cookie is first-party and persists for 365 days.

6.3 Optional / Third-Party Cookies

If you connect Google Analytics 4 or Google Tag Manager as an integration, those services may set their own cookies on redirect pages. These cookies are loaded only if you (the link owner) explicitly enable the integration and are governed by Google’s cookie policies. End-users clicking your links may encounter these cookies. Webb.in does not set any advertising, targeting, or cross-site tracking cookies itself.

6.4 No Sale of Cookie Data

We do not sell cookie data or use cookies for profiling, retargeting, or behavioural advertising.

7. Data Sharing & Third-Party Processors

We do not sell, rent, or share your personal information with third parties for their own marketing purposes. We share data with the following categories of processors, each bound by data processing agreements:

ProviderPurposeData Shared
Amazon Web Services (AWS)Infrastructure & hostingAll service data (encrypted at rest & in transit)
StripePayment processingBilling email, plan, payment tokens
Google (GA4/GTM)Analytics (opt-in by link owner)Click events, measurement ID
Meta (CAPI)Conversion tracking (opt-in)Click events, pixel ID

Data may also be disclosed if required by law, regulation, legal process, or governmental request, or to protect our rights, safety, or property.

8. International Data Transfers

Our infrastructure is hosted in AWS US East (N. Virginia). If you access the Service from the European Economic Area (EEA), UK, or Switzerland, your data is transferred to the United States. We rely on AWS’s Data Processing Addendum and Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate safeguards for cross-border transfers under GDPR Chapter V.

9. Data Security

  • All traffic encrypted with HTTPS/TLS 1.2+ (TLS 1.0 and 1.1 disabled)
  • Passwords hashed with bcrypt (industry-standard work factor)
  • API keys hashed with SHA-256; plain-text keys never stored
  • Webhook signing secrets stored encrypted; payloads signed with HMAC-SHA256
  • DynamoDB encryption at rest with AWS-managed keys
  • CloudFront edge distribution with AWS Shield Standard DDoS protection
  • Strict Content-Security-Policy and HSTS headers on all sites
  • Role-based access control within Teams; SAML 2.0 SSO with automatic deprovisioning

10. Data Retention

  • Account data: Retained while your account is active. Deleted within 30 days of account deletion.
  • URLs & analytics: Retained while your account is active. On deletion, URLs are deactivated and analytics are anonymised within 30 days.
  • Billing records: Retained for 7 years after the end of the billing relationship to comply with tax and accounting obligations.
  • Webhook delivery logs: Retained for 30 days, then automatically purged.
  • Server logs: Retained for 14 days for operational purposes, then deleted. IP addresses are not included in server logs.

11. Your Rights Under GDPR

If you are in the EEA, UK, or Switzerland, you have the following rights under GDPR:

  • Access (Art. 15): Request a copy of the personal data we hold about you.
  • Rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Erasure (Art. 17): Request deletion of your personal data (“right to be forgotten”).
  • Restriction (Art. 18): Request that we limit processing of your data.
  • Data Portability (Art. 20): Receive your data in a structured, machine-readable format (JSON).
  • Objection (Art. 21): Object to processing based on legitimate interest.
  • Withdraw Consent (Art. 7): Withdraw consent for optional processing at any time (e.g., disconnect third-party integrations).
  • Lodge a Complaint: You have the right to lodge a complaint with your local supervisory authority.

To exercise any right, email privacy@webb.in or use the data export/delete features in your account settings. We will respond within 30 days.

12. Your Rights Under CCPA / CPRA (California)

If you are a California resident, you have additional rights under the CCPA as amended by the CPRA:

  • Right to Know: You may request the categories and specific pieces of personal information we have collected about you in the past 12 months.
  • Right to Delete: You may request deletion of personal information we have collected.
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information as defined by the CCPA/CPRA. No opt-out is required.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
  • Right to Limit Use of Sensitive Data: We do not collect sensitive personal information as defined by the CPRA.

Categories of information collected in the past 12 months: Identifiers (email), commercial information (subscription plan), internet activity (click analytics in aggregate), geolocation data (approximate, from IP—not stored). We do not collect biometric data, educational information, or protected classifications.

To submit a verifiable consumer request, email privacy@webb.in. We will verify your identity using your account email and respond within 45 days.

13. Children’s Privacy

The Service is not directed to children under 16 (or under 13 in the United States under COPPA). We do not knowingly collect personal information from children. If we learn that we have collected data from a child, we will delete it promptly. Contact privacy@webb.in if you believe a child has provided us with personal data.

14. Do Not Track

Some browsers send a “Do Not Track” (DNT) signal. Because there is no industry standard for DNT, we do not currently respond to DNT signals. However, we do not engage in cross-site tracking regardless of DNT settings.

15. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects concerning you as defined by GDPR Article 22.

16. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or features. We will notify registered users of material changes via email at least 30 days before they take effect. The “Last updated” date at the top indicates the most recent revision.

17. Contact Us

For privacy-related enquiries, data subject requests, or complaints: