Privacy Policy

Last updated: 28 February 2026

UtilsToGo ("we", "us", "our") is committed to protecting your privacy. This policy explains what data we collect, why, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Input Data & Privacy

Inputs submitted to stateless endpoints (text processing, hashing, encoding, security utilities, mathematical operations, date/time, AI analysis, and similar compute-only services) are not written to persistent storage. Only aggregate request counts are recorded for rate limiting and billing.

This means: if you send a password to the password generator, a JWT token to the JWT inspector, or text to the summariser — that data is processed in memory and discarded. It does not appear in logs, databases, or any persistent medium.

API responses from stateless endpoints include the header X-Privacy: no-input-logging to confirm this policy programmatically.

Stateful operations (short URL creation, QR code storage, account management) are recorded as they must be — you can delete this data at any time from your dashboard.

1. Data Controller

UtilsToGo is the data controller for personal data processed through this service. Contact: via the feedback form in your dashboard.

2. Data We Collect

Account Data

• Email address — for account identification and verification
• Password hash — bcrypt-hashed, we never store plaintext passwords
• Account tier — to enforce usage limits
• Registration date

Service Data

• Short URLs — the codes and target URLs you create
• API keys — hashed keys and prefixes for identification
• Usage counts — monthly aggregates of URLs created and redirects served

Click Analytics Data

• IP address hash — we hash IP addresses using SHA-256 and store only the first 16 characters. We never store raw IP addresses.
• Referrer URL — the page that linked to your short URL
• User agent — browser/device identification string
• Device type — derived category (mobile, desktop, tablet, bot)
• Country — derived from IP geolocation (when available)
• Timestamp — when the click occurred

3. Legal Basis for Processing

We process your data under the following legal bases:

• Contract — account data and service data are necessary to provide the service you signed up for
• Legitimate interest — click analytics to provide the URL shortening service features

4. Data We Do NOT Collect

• We do not use third-party analytics or tracking (no Google Analytics, no Facebook Pixel)
• We do not use advertising cookies
• We do not sell or share your data with third parties for marketing
• We do not store raw IP addresses

5. Cookies

We use a single essential cookie:

• session — an HTTP-only, secure, SameSite cookie containing your encrypted session token. Expires after 7 days. This cookie is essential for authentication and cannot be disabled.

We do not use any analytics, advertising, or tracking cookies.

6. Your Rights (UK GDPR)

You have the following rights:

• Right of access — export all your data via Account → Export Data
• Right to rectification — contact us to correct inaccurate data
• Right to erasure ("right to be forgotten") — delete your account and all associated data via Account → Delete Account. This is irreversible and removes all your URLs, click data, API keys, and usage records.
• Right to data portability — export your data as JSON via Account → Export Data
• Right to object — contact us to object to specific processing
• Right to restrict processing — contact us to restrict how we process your data

7. Data Retention

• Account data is retained while your account is active
• When you delete your account, all data is permanently deleted immediately via cascading database deletes
• Click analytics data is retained as long as the associated short URL exists
• Deleted short URLs have their click data deleted immediately

8. Data Security

We protect your data through:

• HTTPS encryption for all connections
• Bcrypt password hashing
• SHA-256 API key hashing
• IP address hashing (never stored in plaintext)
• HTTP-only, secure session cookies
• Database access restricted to the application

9. Third-Party Services

We use the following third-party services:

• SendGrid — for sending verification emails. SendGrid processes your email address to deliver emails. See SendGrid Privacy Policy.

10. International Transfers

Your data is stored on servers in the United Kingdom. Email delivery via SendGrid may involve data transfer to the United States under appropriate safeguards.

11. Children

The Service is not directed at children under 16. We do not knowingly collect data from children under 16.

12. Changes to This Policy

We will notify you of material changes via email at least 30 days before they take effect.

13. Supervisory Authority

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been violated. Visit ico.org.uk.