Plung Privacy Policy

1.1 Information Collected Through Public Use. When you use the Services without an account, we collect the destination URL and any custom alias you submit, link creation timestamps, and click event data associated with shortened URLs. Click event data may include the approximate geographic location derived from the requesting IP address, HTTP referrer, browser type and version, operating system, and device type. We do not require or associate this data with a personal identity.

1.2 Information Collected Through Developer Accounts. When you register for a developer account, we collect the information you provide during registration, which may include your name and email address. If you authenticate through a supported third-party provider, we receive a limited set of profile information from that provider, such as your account identifier, display name, and profile image URL. We store API key identifiers in hashed form only; plain-text API keys are not retained after initial issuance.

1.3 Billing Information. If you subscribe to a paid plan, your payment information is collected and processed directly by our third-party payment processor, who acts as the merchant of record. Plung does not directly collect, transmit, or store payment card numbers. We may receive from the payment processor a limited set of transaction and subscription metadata necessary to manage your account and plan entitlements.

1.4 Automatically Collected Information. When you interact with the Services, our servers automatically record certain technical information, including your IP address, request timestamps, HTTP headers, and browser characteristics. This information is used for service delivery, security monitoring, and abuse prevention.

We use the information we collect for the following purposes:

• To provide, operate, maintain, and improve the Services, including URL redirection, link management, and analytics computation.
• To authenticate users, maintain sessions, and manage developer accounts.
• To enforce usage quotas, rate limits, and plan-based access controls.
• To process subscription billing and manage plan entitlements through our payment processor.
• To detect, investigate, and prevent fraudulent, abusive, or unlawful activity, including URL safety screening and abuse report processing.
• To comply with applicable legal obligations, resolve disputes, and enforce our agreements.
• To communicate with you regarding your account, service updates, or security alerts.

3.1 URLs and Link Data. Shortened URLs created without an account are retained indefinitely unless a user-configured expiration is triggered or the link is removed by an administrator in response to a policy violation. URLs created through a developer account are retained for the lifetime of the account.

3.2 Click Analytics. Click event data is retained for the purpose of providing analytics and supporting abuse prevention. Aggregated, non-personally identifiable analytics may be retained indefinitely.

3.3 Account Data. Developer account data is retained while the account remains active. Upon receipt of a verified account deletion request, we will delete or anonymize your account data within thirty (30) days, except where we are required by law to retain certain information or where retention is necessary for legitimate business purposes such as fraud prevention or dispute resolution.

We use a minimal set of browser state mechanisms. A single httpOnly session cookie is set when a developer logs in to the console to maintain the authenticated session. This cookie is not accessible to client-side JavaScript and is cleared on logout or session expiry. Anonymous visitors do not receive authentication cookies. Recent link history for anonymous users is stored in browser local storage on your device and is never transmitted to our servers. For more details, see our Cookies Protocol.

5.1 No Sale of Data. We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

5.2 Service Providers. We may share information with third-party service providers who perform services on our behalf, such as payment processing, infrastructure hosting, and abuse screening. These providers are contractually obligated to use your information only for the purposes of providing their services to us and in a manner consistent with this Privacy Policy.

5.3 Legal Requirements. We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, to investigate fraud, or to respond to a law enforcement request.

5.4 Business Transfers. In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice on our Services of any change in ownership or uses of your information.

We implement reasonable administrative, technical, and physical security measures designed to protect the information we collect. These measures include encryption of sensitive credentials, hashed storage of API keys and passwords, and access controls on internal systems. However, no method of transmission over the Internet or method of electronic storage is completely secure, and we cannot guarantee absolute security.

Depending on your jurisdiction, you may have certain rights regarding your personal information, including the right to access, correct, delete, or port your data, or to object to or restrict certain processing. To exercise any of these rights, please contact us through the support page. We will respond to your request in accordance with applicable data protection laws.

The Services are not directed to individuals under the age of 16, and we do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will take steps to delete such information promptly. If you believe that a child under 16 has provided us with personal information, please contact us through the support page.

We may update this Privacy Policy from time to time. If we make material changes, we will update the “Last Updated” date at the top of this page and, where required by applicable law, provide you with notice. Your continued use of the Services after any changes to this Privacy Policy constitutes your acceptance of the revised policy.

If you have any questions about this Privacy Policy or our data practices, please contact us through the support page.