Privacy Policy
The purpose of the ej.uz privacy policy is to provide the natural person - the data subject - with information about the purpose, scope, protection, and retention period of personal data processing at the time of data collection and when processing the data subject's personal data.
The ej.uz long link shortening service is operated by me, its creator - Eriks Remess. The data controller is Eriks Remess. Privacy and personal data requests should be sent to eriks@apps.lv. Facebook Messenger may be used for general support, but privacy and personal data requests should be sent by email.
How and what personal data we collect
Personal data is any information by which you could be identified.
When visiting ej.uz, the web server log stores:
- visit time;
- your IP address.
In addition to entries in the web log:
- When creating a new short link, the short link database stores:
- creation time;
- your IP address;
- the chosen or generated short link;
- the provided long link;
- account ownership, if the short link was created while signed in;
- optional link settings, such as stats visibility, expiration, UTM values, preview metadata, and destination rules, if configured.
- When visiting a previously created short link, the short link visit database stores:
- visit time;
- your IP address;
- the visited short link;
- limited routing/statistics context, such as detected platform, Latvia/non-Latvia country bucket, and matched destination rule.
- When using an account, the account database stores:
- your email address and email verification status;
- optional passkey credential data needed for passwordless sign-in;
- optional API key metadata, permissions, and derived key hashes;
- account and profile audit events, including action names, IP addresses, user agents, request IDs, and action-specific details such as sign-ins, email verification, passkey changes, API key changes, and owned short-link changes.
Why is the IP address stored?
- When creating a new short link, it is used to identify the user. It helps find other short links possibly created by the same user. If information is received that a short link leads to a website containing malware or phishing (stealing third-party access credentials), it is possible to quickly identify other similar links and block access to them.
- When visiting a short link or the home page, the IP address is used to register a unique visit, unless the Global Privacy Control signal is enabled.
- When using an account, the IP address is stored in account audit events to help investigate security-relevant changes.
Why and on what legal basis is personal data processed?
- Short-link creation, redirection, account management, passkeys, API keys, QR codes, statistics, link options, and destination rules are processed because this is necessary to provide the ej.uz service requested by the user.
- IP addresses, visit logs, account audit events, rate limits, and safety checks are processed based on the legitimate interest of securing the service, preventing abuse, enforcing the Terms of Use, and investigating malware, phishing, spam, gambling links, or other misuse.
- Cookies listed below are used only to provide service functionality, security, account state, and language or consent preferences.
- Personal data may also be processed when needed to comply with legal obligations or to protect legal rights and service security.
Which data is required and which is optional?
- To create and serve a short link, the long URL, the chosen or generated short link, and request metadata such as IP address are required. Without this data, the short link cannot be created, redirected, secured, or checked for abuse.
- Email address is required only for account features. Without an email address, account-owned short links, profile management, passkeys, and API keys cannot be used.
- Passkeys, API keys, custom aliases, link settings, preview metadata, UTM values, and destination rules are optional. If they are not provided or configured, the related optional feature is not used.
- For anonymous short-link changes or deletion, and for privacy or data requests, identity or ownership information may be required. If enough information is not provided, the request may not be possible to complete.
How are safety checks performed?
Submitted long URLs and the final redirect targets found after following redirects may be checked before a short link is created or updated. Destination domains may be sent to a safety-check provider. The Safe Browsing integration uses local hash lists and hash-prefix confirmation; full submitted URLs are not sent through that Safe Browsing check.
How long is collected personal data stored?
Personal data is stored in the European Union (EU) on self-managed cloud infrastructure.
- Information entered in the web server log is deleted approximately one week after the entry is made.
- Created short links are not automatically deleted and do not have an expiration date.
- A created short link may be deleted if its creator has requested it.
- Account data, passkeys, API key metadata, and account audit events are stored until the account is deleted.
- Revoked passkeys and API keys are retained as revoked records until account deletion so they cannot continue to be used.
- When an account is deleted, account data, passkeys, API keys, and account audit events are deleted. Short links created by that account stay live by default and become anonymous/unowned, unless the user also requests deletion of those short links.
- Deleted data may remain in self-managed backups for up to one month before backup rotation removes it.
- Access to a created short link is denied (blocked) if:
- it leads to a website containing malware;
- it leads to a phishing website (stealing third-party access credentials);
- it leads to an online gambling website;
- it is used in spam.
- Blocked short links are deleted three months after their creation. This period is chosen so that the short links cannot be recreated immediately after blocking and their creator cannot continue malicious activity.
What cookies are used and for what purposes?
Cookies are used only for service functionality, security, account state, and service preferences. There are no analytics, tracking, third-party, or optional cookies.
- __Secure-cookieconsent - contains the cookie notice status;
- __Secure-locale - stores the user's selected language (locally);
- __Secure-csrf and __Secure-csrf.s - protection against CSRF requests;
- __Host-auth - stores the signed account sign-in state;
- __Host-auth-register - temporarily stores passkey registration challenge state;
- __Host-auth-login - temporarily stores passkey login challenge state;
- __Host-auth-email-change - temporarily stores proof that a verified email change was confirmed with a passkey.
Who receives personal data?
Personal data is not sold and is not used for analytics or tracking. It is not shared with third parties for their own purposes. Limited data may be processed by service providers needed to run the service, such as EU cloud infrastructure, email delivery, and safety-check providers. Data may also be disclosed if required by law or when needed to protect rights, service security, or users.
How can you manage your data?
Signed-in users can manage their owned short links at /mans: if a short link was created while signed in, they can change its long URL and delete the short link themselves. Email, passkeys, and API keys can be managed at /mans/profils. If a short link was created anonymously, its long URL can be changed or the short link can be deleted by writing to eriks@apps.lv. Identity or ownership may need to be verified before personal data, account data, or anonymous short links are changed, exported, or deleted.
You may request access, correction, deletion, restriction, objection, and data portability where these rights apply. If processing is based on consent, you may withdraw that consent. Requests are handled as soon as possible and within one month. Some requests may be limited or refused when data must be retained for security, abuse prevention, legal claims, or legal obligations. You also have the right to lodge a complaint with the competent data protection supervisory authority.
Automated decision-making
ej.uz does not use GDPR Article 22 automated decision-making. Operational safety checks may still block unsafe destinations or refuse short-link creation, and destination rules may route visits according to configured link behavior.
Changes
We have the right to change this policy from time to time. Last updated on July 4, 2026.