Legal Last updated: June 24, 2026

Privacy Policy

We built Truthylink on a simple principle: collect the minimum data needed to operate the service, protect it properly, and be transparent about what we do. This policy explains it all.

COOKIELESS REDIRECTS SERVER-SIDE ANALYTICS IP ANONYMISED GDPR COMPLIANT INDIA DPDP ACT 2023

1. Who We Are

Truthylink ("we", "us", "our") is a branded link shortener and analytics platform. We are based in India. For privacy-related queries, contact us at privacy@truthylink.com.

2. Data We Collect

2.1 Account data

When you register, we collect your name, email address, and (if applicable) payment details processed by our payment gateway. We do not store raw card numbers.

2.2 Link data

We store the destination URLs you shorten, your chosen slugs, and any link metadata (title, tags, expiry settings) you configure.

2.3 Click data

When a visitor clicks one of your links, we record the following from the HTTP request:

  • Anonymised IP address — the visitor's IP is immediately truncated to a /24 subnet for IPv4 (e.g. 192.168.1.0) or a /48 prefix for IPv6. The full IP address is never stored.
  • User-Agent string — used to derive device type and browser family, and to detect known bots.
  • Referrer header — the page the visitor came from, if provided by their browser.
  • Country — derived from the anonymised IP via a third-party geolocation API (ip-api.com). Responses are cached for 24 hours and raw IPs are never sent in persistent form.
  • Timestamp — when the click occurred.

No cookies, fingerprinting scripts, or client-side tracking libraries are used. All processing is server-side.

3. Cookieless Analytics

Truthylink's analytics are entirely server-side and cookieless. This means:

  • We set no cookies on visitors who click your links.
  • We load no JavaScript analytics libraries (no Google Analytics, Segment, Mixpanel, Meta Pixel, or similar) on redirect pages.
  • There is no cross-site tracking of visitors across different Truthylink links or external sites.
  • All metrics (click counts, device breakdown, geography) are derived entirely from HTTP request headers at the time of the redirect.

Because we set no cookies on visitors, link creators using Truthylink do not need to display cookie consent banners on their redirect pages for analytics purposes. This design is compliant with GDPR, the India DPDP Act 2023, and ePrivacy requirements without any additional configuration.

We submit destination URLs to the Google Safe Browsing API to check for known malware, phishing, and unwanted-software threats. This means:

  • Destination URLs you shorten are sent to Google's Safe Browsing API as part of the scanning process.
  • Google's use of this data is governed by the Google Safe Browsing API Terms of Service.
  • Scan results are cached on our servers for a period before being refreshed.
  • No personally identifiable information about link visitors is included in Safe Browsing API requests.

The purpose of this processing is to protect visitors from malicious content and is a core part of the Service (legitimate interest / contract performance basis under GDPR).

5. Destination Health Monitoring

For Pro and Business plan users, we perform automated daily HTTP HEAD requests to the destination URLs of your active links. This is done to check availability (HTTP status) and SSL certificate validity.

  • These requests originate from our servers and are automated.
  • No visitor data is transmitted during health checks — they are plain server-to-server pings.
  • Health check results (status code, SSL expiry date, last-checked timestamp) are stored and made available in your dashboard.

The legal basis for this processing is performance of your subscription contract.

6. Click Fraud Detection

We analyse click patterns in real time to identify likely fraudulent or non-human traffic. The analysis uses:

  • Anonymised IP subnet — to detect repeated clicks from the same /24 block (IPv4) or /48 prefix (IPv6) within a one-hour window.
  • Click rate patterns — to flag burst patterns (5+ clicks from the same subnet on one link within an hour) indicative of click farming.
  • IP reputation data — if configured, clicks are checked against ip-api.com's proxy, Tor, and hosting-IP databases. The visitor's anonymised IP is sent to ip-api.com for this check; results are cached for 24 hours. ip-api.com's privacy policy governs their handling of that data.
  • User-Agent detection — known bot and crawler signatures are matched against a maintained bot list.

Clicks classified as fraudulent or bot-generated are excluded from your reported analytics and flagged in the raw data. The legal basis is legitimate interest (maintaining accurate analytics for our customers).

7. How We Use Your Data

DataPurposeLegal basis
Account dataAccount management, support, billingContract performance
Click data (anonymised)Analytics dashboard for link creatorsContract performance / legitimate interest
Destination URLsSafe Browsing scanning, health monitoringContract performance
Fraud signalsAccurate click reporting, abuse preventionLegitimate interest
Email addressService notifications, product updates (opt-out available)Contract performance / consent

8. Data Sharing

We do not sell your personal data. We share data only with:

  • Google Safe Browsing API — destination URLs only, for malware/phishing scanning.
  • ip-api.com — anonymised IP addresses only, for geolocation and (optionally) fraud/VPN detection.
  • Payment processor (Razorpay) — billing information for paid plan transactions. We do not see or store full card details.
  • Infrastructure providers — hosting and database services under data processing agreements.

We require all sub-processors to maintain appropriate security standards. We do not transfer personal data outside India / the EEA without adequate safeguards.

9. Data Retention

  • Account data — retained for as long as your account is active. Deleting your account (available any time from your account settings) permanently and immediately removes your account and all directly associated data — links, click history, subscriptions, and team memberships.
  • Click data — your analytics dashboard shows click history for a window based on your plan (30 days on Free, 90 days on Pro, 365 days on Business, unlimited on Enterprise). Click data older than your plan's window is retained in underlying storage but not shown or exportable — upgrading later surfaces your full prior history, not just history from the upgrade date. You can request deletion of your account's click data at any time via the Erasure right below.
  • Billing records — retained for 7 years as required by Indian accounting law.
  • Fraud flags — retained for auditing and abuse-prevention purposes.

10. Security

We use industry-standard measures to protect your data, including encryption in transit (TLS), encrypted storage for sensitive fields, access controls, and regular security reviews. We never store full IP addresses — only anonymised subnet prefixes.

If you discover a security vulnerability, please report it to security@truthylink.com.

11. Your Rights — GDPR and India DPDP Act 2023

Depending on your location, you may have the following rights regarding your personal data:

  • Access — request a copy of the data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — delete your own account any time from account settings for immediate removal, or request deletion of specific data by email (subject to legal retention obligations, e.g. billing records).
  • Restriction — ask us to limit how we use your data.
  • Portability — receive your data in a machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email privacy@truthylink.com. We will respond within 30 days. If you are in the EEA and believe we have not handled your data lawfully, you have the right to lodge a complaint with your local data protection authority. If you are in India, you may contact the Data Protection Board of India once established under the DPDP Act 2023.

12. Cookies

Cookie use differs by which part of Truthylink you're on:

  • App pages (app.truthylink.com — your dashboard) use a small number of strictly necessary cookies for session management and security (CSRF protection). No advertising, tracking, or analytics cookies are set here.
  • Marketing pages (truthylink.com — pages like this one) use the same strictly necessary session cookie, and may also load Google Analytics and Microsoft Clarity, which set their own analytics cookies to help us understand how visitors use our marketing site. These do not run on your dashboard or on redirect pages.
  • Redirect pages (the pages visitors see when clicking your links) set no cookies whatsoever — click analytics here are entirely server-side, as described in Section 3.

13. Children

The Service is not directed to children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through a notice in the Service at least 14 days before the changes take effect. Continued use of the Service after that date constitutes acceptance of the updated policy.

15. Contact

For privacy questions or to exercise your rights:

Truthylink Assistant

Ask about pricing & features

Hi! Ask me anything about Truthylink's plans and features.