SHORTCLIX (“us”, “we”, or “our”) operates the https://shortclix.com website and the URL-shortening service offered there (the “Service”). We take the protection of your personal data seriously and process it exclusively in accordance with the EU General Data Protection Regulation (GDPR), the Austrian Data Protection Act (DSG) and the Austrian Telecommunications Act (TKG 2021). This policy explains what personal data we process, for which purposes and on which legal basis, and which rights you have.
SHORTCLIX is a brand of rematic media GmbH. rematic media GmbH is the operator of this website and the controller responsible for the processing of personal data within the meaning of the GDPR:
rematic media GmbH
Argentinierstraße 51/1, 1040 Vienna, Austria
E-mail: support@shortclix.com
Full company details are available in our Imprint.
Under the GDPR you have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20) and to object to processing based on our legitimate interests (Art. 21). Where processing is based on your consent, you may withdraw that consent at any time with effect for the future; this does not affect the lawfulness of processing carried out before the withdrawal.
To exercise any of these rights, contact us at support@shortclix.com. Whenever possible you can also update or delete your data directly in your account settings. We may ask you to verify your identity before responding.
You also have the right to lodge a complaint with a supervisory authority. The competent authority for us is the Austrian Data Protection Authority (Österreichische Datenschutzbehörde, Barichgasse 40-42, 1030 Vienna, www.dsb.gv.at). You may also contact the authority in your country of residence.
We process personal data on the following legal bases: to perform our contract with you or take pre-contractual steps (Art. 6(1)(b) GDPR), to comply with legal obligations such as accounting and tax law (Art. 6(1)(c) GDPR), on the basis of your consent (Art. 6(1)(a) GDPR) and on the basis of our legitimate interests (Art. 6(1)(f) GDPR), in particular in the secure, reliable and abuse-free operation and improvement of the Service. The relevant basis for each purpose is stated below.
When you register for the Service we process the data you provide, in particular your e-mail address and first and last name, as well as account settings and authentication data (including two-factor authentication secrets where enabled). This is necessary to create and operate your account and to provide the Service (Art. 6(1)(b) GDPR). We retain this data for as long as your account exists and delete it after account closure, unless statutory retention periods require otherwise.
For paid plans we process billing details (e.g. name, address, country, the subscription and invoices). Payment card data is not stored or collected by us; it is provided directly to our payment processor, depending on the method you choose (e.g. Stripe, Paddle or Lemon Squeezy), whose own privacy policy governs that processing. Processing is necessary to perform the contract (Art. 6(1)(b) GDPR). Invoices and accounting records are retained for the statutory period (currently seven years under Austrian tax law, § 132 BAO) on the basis of Art. 6(1)(c) GDPR.
When someone opens a link you have shortened with the Service, we record statistical data about that click so we can provide you with analytics: the time of the click, the referring website, the visitor’s country (derived from the IP address via a local GeoLite2 lookup, after which the IP address itself is discarded), and the device type, browser, operating system and browser language. We do not store the visitor’s IP address in plain text; instead we store a hashed value. Please note that, because such a hash can in principle be related back to an IP address, it is treated as pseudonymous personal data rather than anonymous data.
This processing is based on our legitimate interest, and that of our customers, in measuring and improving the performance of their links (Art. 6(1)(f) GDPR). Click data is automatically deleted after 24 months.
If you contact us (e.g. by e-mail), we process the information you provide in order to handle your request (Art. 6(1)(b) GDPR if related to a contract, otherwise our legitimate interest in responding effectively, Art. 6(1)(f) GDPR). We retain this correspondence until your request has been dealt with and any applicable retention periods have expired.
We send transactional e-mails required to operate the Service (e.g. account, billing and automated statistics reports). Where permitted, we may also send information about features or offers similar to those you already use; you can object or unsubscribe at any time via the link in each e-mail or by contacting us. Such mailings are based on your consent (Art. 6(1)(a) GDPR) or, for existing customers, on Art. 6(1)(f) GDPR in conjunction with § 174 TKG 2021.
When you access the Service, our hosting and edge infrastructure automatically records technical data in server log files, including the IP address, date and time of the request, the requested resource, referrer, browser type and operating system. This is necessary for the secure and stable provision of the Service and to detect and prevent attacks (Art. 6(1)(f) GDPR). Log files are stored only for a short period and then deleted or aggregated.
We use Cloudflare Turnstile on our forms to distinguish human users from automated requests and to protect against spam and brute-force attacks. Cloudflare processes technical data such as the IP address and browser characteristics for this purpose. This is based on our legitimate interest in protecting the Service (Art. 6(1)(f) GDPR).
To keep the Service reliable we use error monitoring (Sentry) and performance monitoring (Laravel Nightwatch). These tools record technical diagnostic data about errors and requests. We have configured error monitoring not to transmit personal data (no IP addresses, e-mail addresses, request bodies or headers). This processing is based on our legitimate interest in a secure and functioning Service (Art. 6(1)(f) GDPR).
We use Plausible Analytics, a privacy-friendly web analytics service provided by Plausible Insights OÜ (Estonia, EU), to understand how our website is used in aggregate (e.g. page views, referrers, country and device type). Plausible is cookieless: it sets no cookies, does not store your IP address, does not collect personal data and does not track you across websites or devices. All data is processed and stored exclusively within the European Union. Because no personal data is processed and no information is stored on or read from your device, no consent is required; the processing is based on our legitimate interest in understanding and improving our website (Art. 6(1)(f) GDPR). More information is available in Plausible’s data policy and its data collection details.
We only use cookies that are strictly necessary to operate the Service, such as the session cookie, the CSRF security token, authentication and two-factor cookies. These cookies are required for the website to function and are therefore exempt from consent under § 165(3) TKG 2021 and Art. 5(3) of the ePrivacy Directive; no consent banner is required for them. We do not currently use analytics, advertising or other non-essential tracking cookies. Should we introduce such technologies in the future, we will first obtain your consent through an appropriate consent tool and update this policy accordingly. You can configure your browser to refuse or delete cookies, but some parts of the Service may then not work.
We only disclose personal data where this is necessary, where we are legally obliged to do so, or where another legal basis permits it. Where we use service providers that process data on our behalf, we do so under data processing agreements pursuant to Art. 28 GDPR. The main processors we rely on are:
Some of the providers above are based in the United States or may process data outside the European Economic Area. Where this is the case, the transfer is safeguarded by the European Commission’s Standard Contractual Clauses and/or, where the provider is certified, the EU–US Data Privacy Framework, together with additional technical and organisational measures. You can request a copy of the relevant safeguards from us.
We retain personal data only for as long as necessary for the purposes described above or as required by law: account data for the lifetime of your account, click tracking data for 24 months, server log files for a short period, and invoicing and accounting records for the statutory retention period. When a purpose no longer applies and no legal retention obligation exists, the data is deleted.
We use appropriate technical and organisational measures to protect your data, including TLS encryption of all traffic and strict transport security (HSTS). However, no method of transmission over the Internet or electronic storage is fully secure, so we cannot guarantee absolute security.
The Service is not directed at children. In Austria, consent to information-society services requires a minimum age of 14 (§ 4(4) DSG). We do not knowingly collect personal data from children below that age. If you believe a child has provided us with personal data, please contact us and we will delete it.
We may update this Privacy Policy from time to time. We will post the updated version on this page and, where the changes are material, notify you by e-mail or a prominent notice on the Service before they take effect. Please review this policy periodically.
If you have any questions about this Privacy Policy or your data, please contact us at support@shortclix.com.