Privacy Policy
Last updated: 28 February 2026
UtilsToGo ("we", "us", "our") is committed to protecting your privacy. This policy explains what data we collect, why, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Data Controller
UtilsToGo is the data controller for personal data processed through this service. Contact: via the feedback form in your dashboard.
2. Data We Collect
Account Data
- Email address — for account identification and verification
- Password hash — bcrypt-hashed, we never store plaintext passwords
- Account tier — to enforce usage limits
- Registration date
Service Data
- Short URLs — the codes and target URLs you create
- API keys — hashed keys and prefixes for identification
- Usage counts — monthly aggregates of URLs created and redirects served
Click Analytics Data
- IP address hash — we hash IP addresses using SHA-256 and store only the first 16 characters. We never store raw IP addresses.
- Referrer URL — the page that linked to your short URL
- User agent — browser/device identification string
- Device type — derived category (mobile, desktop, tablet, bot)
- Country — derived from IP geolocation (when available)
- Timestamp — when the click occurred
3. Legal Basis for Processing
We process your data under the following legal bases:
- Contract — account data and service data are necessary to provide the service you signed up for
- Legitimate interest — click analytics to provide the URL shortening service features
4. Data We Do NOT Collect
- We do not use third-party analytics or tracking (no Google Analytics, no Facebook Pixel)
- We do not use advertising cookies
- We do not sell or share your data with third parties for marketing
- We do not store raw IP addresses
5. Cookies
We use a single essential cookie:
- session — an HTTP-only, secure, SameSite cookie containing your encrypted session token. Expires after 7 days. This cookie is essential for authentication and cannot be disabled.
We do not use any analytics, advertising, or tracking cookies.
6. Your Rights (UK GDPR)
You have the following rights:
- Right of access — export all your data via Account → Export Data
- Right to rectification — contact us to correct inaccurate data
- Right to erasure ("right to be forgotten") — delete your account and all associated data via Account → Delete Account. This is irreversible and removes all your URLs, click data, API keys, and usage records.
- Right to data portability — export your data as JSON via Account → Export Data
- Right to object — contact us to object to specific processing
- Right to restrict processing — contact us to restrict how we process your data
7. Data Retention
- Account data is retained while your account is active
- When you delete your account, all data is permanently deleted immediately via cascading database deletes
- Click analytics data is retained as long as the associated short URL exists
- Deleted short URLs have their click data deleted immediately
8. Data Security
We protect your data through:
- HTTPS encryption for all connections
- Bcrypt password hashing
- SHA-256 API key hashing
- IP address hashing (never stored in plaintext)
- HTTP-only, secure session cookies
- Database access restricted to the application
9. Third-Party Services
We use the following third-party services:
- SendGrid — for sending verification emails. SendGrid processes your email address to deliver emails. See SendGrid Privacy Policy.
10. International Transfers
Your data is stored on servers in the United Kingdom. Email delivery via SendGrid may involve data transfer to the United States under appropriate safeguards.
11. Children
The Service is not directed at children under 16. We do not knowingly collect data from children under 16.
12. Changes to This Policy
We will notify you of material changes via email at least 30 days before they take effect.
13. Supervisory Authority
You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been violated. Visit ico.org.uk.