Privacy Policy
Last updated: May 2026 · Effective: May 27, 2026
1. Introduction
Webb.in (“we”, “our”, “us”) operates the URL shortening platform at webb.in, app.webb.in, dev.webb.in, blog.webb.in, support.webb.in, status.webb.in, and khur.am (collectively, the “Service”). This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use any part of the Service.
This policy complies with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the CPRA (CCPA), and other applicable data protection laws. By using the Service, you acknowledge that you have read and understood this Privacy Policy.
2. Data Controller
Webb.in is the data controller for personal data processed through the Service. For any privacy-related enquiries, contact us at privacy@webb.in.
3. Information We Collect
3.1 Account Information
When you register, we collect your email address and a password. Passwords are stored as one-way cryptographic hashes—never in plain text. If you join or create a Team, we also store your display name and role within that team.
3.2 Billing & Payment Data
When you subscribe to a paid plan (Professional or Business), payment is processed by Stripe, Inc. We do not store credit card numbers. Stripe provides us with a tokenised reference, your billing email, plan type, subscription status, and invoice history. See Stripe’s Privacy Policy.
3.3 URL & Link Data
When you shorten a URL we store: the destination URL, the generated short code, custom alias (if any), UTM parameters (source, medium, campaign, term, content), password protection hash, expiration settings, social preview metadata (OG title, description, image URL), and QR code configuration.
3.4 Click Analytics
When someone clicks a short link we collect in aggregate: timestamp, device type, browser name, operating system, approximate geographic location (country and city derived from the clicker’s IP address), HTTP referrer, and UTM parameters appended to the redirect. IP addresses are used solely for geo-lookup and are not stored or logged.
3.5 Custom Domains & SSL
When you add a custom domain we store the domain name, DNS verification status, and SSL certificate metadata (issued by AWS Certificate Manager). We do not access your domain registrar account.
3.6 Webhooks
If you configure webhooks, we store your endpoint URL and a signing secret. Event payloads (url.created, url.clicked, url.deleted) are transmitted to your endpoint over HTTPS and retained in a delivery log for 30 days.
3.7 Third-Party Integrations
If you connect Google Analytics 4, Meta Conversions API, or Google Tag Manager, we store the measurement/pixel ID you provide. Click events are forwarded server-side to these third parties on your behalf. We do not receive data back from these services. Their respective privacy policies govern data they collect:
3.8 SSO & Team Data
If your organisation uses SAML 2.0 SSO, your Identity Provider transmits your email, name, and role mapping to us during authentication. We store these attributes for session management. We do not access your IdP admin console.
3.9 Developer API
When you generate an API key we store a SHA-256 hash of the key, a label you assign, and usage metadata (request count, last used timestamp). The plain-text key is shown once at creation and is never stored.
3.10 Abuse Reports
When a member of the public submits an abuse report via our Report a Link form or the API, we collect: the reported short URL, abuse category, description, optional reporter email address, and a one-way SHA-256 hash of the reporter’s IP address (the raw IP address is never stored). The IP hash is used solely to detect duplicate or bad-faith reports and for platform safety. Abuse reports are retained for 7 years for legal compliance and to enforce repeat-offender policies.
4. Legal Bases for Processing (GDPR)
We process personal data under the following legal bases defined in GDPR Article 6(1):
- Contract performance (Art. 6(1)(b)): Account creation, URL shortening, analytics, billing, custom domains, webhooks, integrations, Teams, SSO, API access.
- Legitimate interest (Art. 6(1)(f)): Abuse prevention, service security, aggregate usage statistics, infrastructure monitoring.
- Consent (Art. 6(1)(a)): Optional third-party analytics integrations (GA4, Meta CAPI, GTM) that transmit click data to third parties. You can withdraw consent at any time by disconnecting the integration.
- Legal obligation (Art. 6(1)(c)): Tax record-keeping for paid subscriptions, responding to lawful data requests.
5. How We Use Information
- To provide, maintain, and improve the URL shortening and redirection service
- To display click analytics, UTM breakdowns, and geographic data to link owners
- To authenticate users, manage accounts, and enforce role-based access within Teams
- To provision and renew SSL certificates for custom domains
- To deliver webhook event payloads to your configured endpoints
- To forward click events to your connected third-party analytics integrations
- To process payments and manage subscriptions via Stripe
- To send transactional emails (account verification, password reset, billing receipts)
- To prevent abuse, spam, and malicious use of the Service
- To investigate and action abuse reports submitted by the public or third parties
- To cooperate with law enforcement when required by lawful process, court order, or to prevent imminent harm
- To comply with legal and regulatory obligations
6. Cookies & Similar Technologies
6.1 Strictly Necessary Cookies
We use a session cookie containing a JSON Web Token (JWT) to authenticate you when you log in to app.webb.in. This cookie is first-party, HTTP-only, Secure, SameSite=Strict, and expires when your session ends. It cannot be used for cross-site tracking. No consent is required for strictly necessary cookies under GDPR or CCPA.
6.2 Cookie Consent Preferences
We store a webb_cookie_consent cookie to remember your cookie preferences. This cookie is first-party and persists for 365 days.
6.3 Optional / Third-Party Cookies
If you connect Google Analytics 4 or Google Tag Manager as an integration, those services may set their own cookies on redirect pages. These cookies are loaded only if you (the link owner) explicitly enable the integration and are governed by Google’s cookie policies. End-users clicking your links may encounter these cookies. Webb.in does not set any advertising, targeting, or cross-site tracking cookies itself.
6.4 No Sale of Cookie Data
We do not sell cookie data or use cookies for profiling, retargeting, or behavioural advertising.
7. Data Sharing & Third-Party Processors
We do not sell, rent, or share your personal information with third parties for their own marketing purposes. We share data with the following categories of processors, each bound by data processing agreements:
| Provider | Purpose | Data Shared |
|---|---|---|
| Amazon Web Services (AWS) | Infrastructure & hosting | All service data (encrypted at rest & in transit) |
| Stripe | Payment processing | Billing email, plan, payment tokens |
| Google (GA4/GTM) | Analytics (opt-in by link owner) | Click events, measurement ID |
| Meta (CAPI) | Conversion tracking (opt-in) | Click events, pixel ID |
| Law enforcement / courts | Legal compliance & public safety | Account info, link data, IP hashes — only in response to valid legal process or to prevent imminent harm; CSAM cases proactively reported to NCMEC |
Data may also be disclosed if required by law, regulation, legal process, or governmental request, or to protect our rights, safety, or property.
8. International Data Transfers
Our primary infrastructure is hosted in AWS US East (N. Virginia). If you access the Service from the European Economic Area (EEA), the United Kingdom, Switzerland, or any other jurisdiction outside the United States, your personal data is transferred to, stored, and processed in the United States — a jurisdiction that has not received an adequacy decision under GDPR (the EU-U.S. Data Privacy Framework applies only to certified participants).
For such transfers we rely on the following safeguards under GDPR Chapter V:
- Standard Contractual Clauses (SCCs): The European Commission’s 2021 SCCs (Modules 1, 2, and 3 as applicable) are incorporated into our agreements with subprocessors
- UK International Data Transfer Addendum (IDTA): Used in conjunction with SCCs for UK transfers
- Swiss DPA-recognised SCCs: For Swiss data transfers
- Supplementary measures: Encryption in transit (TLS 1.2+), encryption at rest (AES-256), minimisation of personal data, pseudonymisation where feasible
- Transfer Impact Assessment: We have assessed the laws of the destination jurisdiction (United States) and concluded that the safeguards provide protection essentially equivalent to that guaranteed within the EU, taking into account the limited nature and volume of personal data processed
You may request a copy of the SCCs governing transfers of your data by emailing privacy@webb.in.
9. Data Security
We implement industry-recognised administrative, technical, and physical safeguards designed to protect personal information:
- All traffic encrypted with HTTPS / TLS 1.2+ (TLS 1.0 and 1.1 disabled; HSTS preload-eligible)
- Passwords hashed with bcrypt (industry-standard work factor) — never stored in plain text
- API keys hashed with SHA-256; plain-text keys shown once at creation and never stored
- Webhook signing secrets stored encrypted; payloads signed with HMAC-SHA256
- DynamoDB encryption at rest with AWS-managed keys; backups encrypted
- CloudFront edge distribution with AWS Shield Standard DDoS protection
- Strict Content-Security-Policy, HSTS, X-Frame-Options, and Permissions-Policy headers
- Role-based access control within Teams; SAML 2.0 SSO with SCIM-style deprovisioning
- Principle of least privilege for internal staff access; access logs audited
- Regular dependency vulnerability scanning and patching
- Multi-factor authentication enforced for all internal admin / production-system access
- Routine backups with point-in-time recovery (PITR) enabled on critical tables; tested disaster recovery plan
Despite these measures, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security and you transmit data to us at your own risk. See section 15b for our breach notification commitments.
10. Data Retention
- Account data: Retained while your account is active. Deleted within 30 days of account deletion.
- URLs & analytics: Retained while your account is active. On deletion, URLs are deactivated and analytics are anonymised within 30 days.
- Billing records: Retained for 7 years after the end of the billing relationship to comply with tax and accounting obligations.
- Webhook delivery logs: Retained for 30 days, then automatically purged.
- Server logs: Retained for 14 days for operational purposes, then deleted. IP addresses are not included in server logs.
- Abuse reports: Retained for 7 years for legal compliance, regulatory obligations, and repeat-offender tracking. Reporter IP hashes are used only for deduplication and are not linkable to identifiable individuals.
11. Your Rights Under GDPR
If you are in the EEA, UK, or Switzerland, you have the following rights under GDPR:
- Access (Art. 15): Request a copy of the personal data we hold about you.
- Rectification (Art. 16): Request correction of inaccurate or incomplete data.
- Erasure (Art. 17): Request deletion of your personal data (“right to be forgotten”).
- Restriction (Art. 18): Request that we limit processing of your data.
- Data Portability (Art. 20): Receive your data in a structured, machine-readable format (JSON).
- Objection (Art. 21): Object to processing based on legitimate interest.
- Withdraw Consent (Art. 7): Withdraw consent for optional processing at any time (e.g., disconnect third-party integrations).
- Lodge a Complaint: You have the right to lodge a complaint with your local supervisory authority.
To exercise any right, email privacy@webb.in or use the data export/delete features in your account settings. We will respond within 30 days.
12. Your Rights Under CCPA / CPRA (California)
If you are a California resident, you have additional rights under the CCPA as amended by the CPRA:
- Right to Know: You may request the categories and specific pieces of personal information we have collected about you in the past 12 months.
- Right to Delete: You may request deletion of personal information we have collected.
- Right to Correct: You may request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information as defined by the CCPA/CPRA. No opt-out is required.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
- Right to Limit Use of Sensitive Data: We do not collect sensitive personal information as defined by the CPRA.
Categories of information collected in the past 12 months: Identifiers (email), commercial information (subscription plan), internet activity (click analytics in aggregate), geolocation data (approximate, from IP—not stored). We do not collect biometric data, educational information, or protected classifications.
To submit a verifiable consumer request, email privacy@webb.in. We will verify your identity using your account email and respond within 45 days.
13. Children’s Privacy
The Service is not directed to, intended for, or marketed to children. We require account holders to be at least 13 years of age (United States — COPPA) or 16 years of age in the European Economic Area, the United Kingdom, and any other jurisdiction whose laws set a higher minimum age for data-processing consent. Paid plans require users to be at least 18 (or the local age of majority).
We do not knowingly collect personal information from children. If we discover that we have collected data from a child under the applicable minimum age, we will delete the data and terminate the account promptly. Parents or guardians who believe a child has provided us with personal data may contact privacy@webb.in to request immediate deletion.
14. Do Not Track & Global Privacy Control
Some browsers send a “Do Not Track” (DNT) HTTP header. Because there is no industry consensus on DNT, we do not currently change behaviour based on DNT signals. However, we do not engage in cross-site tracking, behavioural advertising, or the sale of personal information regardless of any signal. Where the Global Privacy Control (GPC) signal is recognised as a valid opt-out under applicable law (e.g., CCPA / CPRA in California, Colorado, Connecticut), we will honour it for the limited categories of processing to which it applies; because we do not sell or share personal information for cross-context behavioural advertising, GPC signals do not require additional opt-out from us.
15. Automated Decision-Making & Profiling
We do not use solely automated decision-making or profiling that produces legal or similarly significant effects concerning you, as defined by GDPR Article 22 or analogous provisions of the UK GDPR. Automated systems we operate (e.g., spam classifiers, malware-feed checks against Google Safe Browsing, abuse-rate thresholds) only flag content for human review; final decisions to suspend an account, disable a link, or restrict access are made or confirmed by a human reviewer.
15a. Sensitive Personal Information
We do not knowingly collect, process, or request “special category” data under GDPR Article 9 (such as racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation) or “sensitive personal information” under the CPRA (such as government-issued identifiers, precise geolocation, racial or ethnic origin, religious beliefs, contents of mail/email/messages, genetic data, biometric data for identification, health data, or sex life). You agree not to upload, transmit, or process such categories of data through the Service unless you have established an explicit, lawful basis to do so and have notified us in writing. We accept no liability for sensitive data you submit in violation of this section.
15b. Data Security Breach Notification
We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorised access, alteration, disclosure, or destruction. In the event of a personal data breach as defined under GDPR Article 33, UK GDPR, CPRA, PIPEDA, LGPD, or analogous law, we will: (a) notify the relevant supervisory authority within 72 hours of becoming aware where required; (b) notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms; and (c) provide information on the nature of the breach, the categories and approximate number of data subjects, the likely consequences, and the measures taken or proposed to address it. No security system is impenetrable; we cannot guarantee the absolute security of any data transmitted over the internet.
15c. International Privacy Frameworks
In addition to GDPR (EU) and CCPA/CPRA (California), we comply with applicable elements of the following frameworks where they apply to our processing:
- UK GDPR & Data Protection Act 2018: Equivalent rights and obligations apply for individuals in the United Kingdom; ICO is the lead supervisory authority.
- Swiss FADP: Equivalent rights for individuals in Switzerland.
- Canadian PIPEDA & Quebec Law 25: Right to access, correction, withdrawal of consent, and (Quebec) data portability and explicit consent for sensitive data; we maintain a privacy officer role.
- Brazilian LGPD: Equivalent rights including access, anonymisation, deletion, portability, and revocation of consent. Submit requests to privacy@webb.in.
- Australian Privacy Act 1988 / APPs: Right to access and correct personal data; complaints may be lodged with the OAIC.
- U.S. state privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, Oregon OCPA, etc.): Right to access, correct, delete, port, and opt-out of targeted advertising / profiling. We do not engage in targeted advertising or sales of personal data; opt-out is automatic.
The Service is hosted in the United States and is not actively marketed to residents of mainland China, Russia, or other jurisdictions imposing data-localisation requirements. If you access the Service from such a jurisdiction, you do so on your own initiative and are responsible for compliance with local law.
15d. EU / UK Data Protection Representatives
Where required by GDPR Article 27 or the UK GDPR, we may appoint a designated representative in the European Union and the United Kingdom to act as our local point of contact for data-subject requests and supervisory-authority enquiries. To request the current representative’s contact details, or if no representative has been appointed and you wish to address us directly, email privacy@webb.in. EU residents may also lodge a complaint with the supervisory authority of their member state of residence.
15e. Identity Verification for Data Requests
To prevent fraudulent or unauthorised disclosure, we will verify the identity of any person submitting a data-subject access, deletion, correction, or portability request. Verification typically consists of confirming control of the email address associated with the account. For elevated-sensitivity requests, we may require additional verification (e.g., responding from a previously confirmed email, providing a recent invoice ID, or a notarised request). We may refuse manifestly unfounded, excessive, or repetitive requests, or charge a reasonable fee where permitted.
15f. Deceased & Incapacitated Users
Upon receipt of valid documentation (e.g., a death certificate or court-issued letters of authority), we will close the deceased or incapacitated user’s account and disable or transfer their links and custom domains as permitted by applicable law. We will not transfer plain-text credentials, API keys, or session tokens. Submit such requests to legal@webb.in.
15g. Anonymised & Aggregated Data
We may produce aggregated, de-identified, or anonymised data derived from your use of the Service (e.g., total clicks per country across all users, popular link categories, abuse-trend statistics). Such data does not identify any individual and is not personal data under GDPR, CCPA, or analogous laws. We may use and disclose anonymised data for research, security, product improvement, benchmarking, and public reporting without restriction. We do not attempt to re-identify anonymised data.
16. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices, legal requirements, or features. We will notify registered users of material changes via email at least 30 days before they take effect. The “Last updated” date at the top indicates the most recent revision.
17. Contact Us
For privacy-related enquiries, data subject requests, or complaints:
- Email: privacy@webb.in
- General support: support@webb.in