Privacy Policy
Your privacy is our priority
1. Data Controller
For privacy-related inquiries:
2. Age Restriction
Our services are intended for users aged 16 and older. By using fearly.eu, you confirm that you are at least 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us immediately so we can delete it.
3. Data We Collect and Why
We collect only the minimum data necessary to provide our services. For each category of data we process, the purpose and legal basis under the GDPR are listed below.
Service and account data
| Data | Purpose | Legal basis |
|---|---|---|
| URLs submitted for shortening | To generate and serve the short link | Contract (Art. 6(1)(b)) |
| Short codes (generated or custom) | To identify and redirect short links | Contract (Art. 6(1)(b)) |
| QR code content and image | To generate, display and manage your QR codes | Contract (Art. 6(1)(b)) |
| Account credentials (email address and username, or account number — as chosen by you) | Account identification and login | Contract (Art. 6(1)(b)) |
| API keys | To authenticate requests from authorised applications such as the browser extension | Contract (Art. 6(1)(b)) |
| Subscription data (tier, start and expiry dates) | To manage access to premium features | Contract (Art. 6(1)(b)) |
| Hashed IP address | Rate limiting and abuse prevention. The raw IP address is never stored — only an anonymised, irreversible hash. | Legitimate interest (Art. 6(1)(f)) |
| Application and server logs | Security monitoring, error diagnosis and abuse detection | Legitimate interest (Art. 6(1)(f)) |
| Contact form data (subject, message, optional e-mail) | To handle your reports, questions and feature requests | Legitimate interest (Art. 6(1)(f)) |
| Click statistics (when enabled by you) | To provide anonymous analytics per link or QR code | Consent (Art. 6(1)(a)) |
4. What We Do Not Collect
- No tracking cookies or third-party analytics (Google Analytics, etc.)
- No browsing history or behavioural profiles
- No plain-text IP addresses — only irreversibly hashed values used solely for rate limiting
- No profiling or automated decision-making
- No advertising data of any kind
5. Data Security
We apply multiple layers of protection to keep your data safe:
- Encryption in transit: All communication with fearly.eu is encrypted via SSL/TLS.
- Field-level encryption at rest: Sensitive database fields — including hashed IP addresses, device data, QR code content and API keys — are AES-GCM encrypted at the application layer, independently of disk encryption.
- Password security: Passwords are never stored in plain text. We use bcrypt with SHA-256 pre-hashing and a server-side secret pepper.
- No profiling: We do not perform profiling or automated decision-making based on your data.
6. Cookies
We use only strictly necessary functional cookies. No tracking, analytics or advertising cookies are placed. No third-party cookies are used.
| Cookie | Purpose | Duration | HttpOnly |
|---|---|---|---|
fearly_session |
Maintains your login session | 7 days | Yes |
fearly_browser |
Security cookie | 24 hours | Yes |
fearly_logged_in |
UI indicator: allows the page to show or hide login elements. Contains no session data. | Session | No |
| Theme preference | Stores your dark/light mode preference | 1 year | No |
You can disable cookies in your browser settings. Doing so will prevent login functionality and theme preferences from being saved.
7. Data Collected from Link and QR Code Visitors
When someone clicks a shortened URL or scans a QR code, fearly.eu may collect the following data — only if the creator of that link or QR code has explicitly enabled statistics:
- Timing and frequency of visits
- IP address and derived location data (country, region, city, network organisation) — stored encrypted, never in plain text
- Device and browser characteristics (brand, model, type, operating system, browser, language)
- Traffic source (referrer, UTM parameters)
- Technical indicators (bot detection, VPN/proxy/Tor usage, visit uniqueness)
This processing is based on the consent of the link or QR code creator (Art. 6(1)(a) GDPR). fearly.eu acts as data controller for this processing. All collected fields are protected with field-level encryption at rest. Link creators only receive access to aggregated, anonymised reports and cannot identify individual visitors.
If your data has been collected in this way, you may contact us to exercise your GDPR rights, including access, rectification and erasure.
8. QR Code Content Storage
Content encoded in a QR code — such as a URL, text, Wi-Fi credentials or contact information — is stored on our servers so that the creator can view, share and edit it at a later time. This content may include sensitive information at the creator's discretion. All content fields are protected using field-level encryption at rest.
9. Data Storage and Retention
All data is stored on EU-based servers. All personal data is processed within the EU/EEA and is not transferred to third countries.
We retain data only as long as necessary for the purpose it was collected:
| Data category | Retention period |
|---|---|
| Logs and temporary security data | Maximum 31 days, then automatically deleted |
| Your content (URLs, QR codes, account data, statistics) | Until you delete it — immediately and permanently removed upon deletion |
| Contact form messages | 1 month after the case is closed |
| Encrypted backups | Deleted data may remain in encrypted backups for a maximum of 1 month |
10. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15) — You can request a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — You can request correction of inaccurate or incomplete personal data.
- Right to erasure (Art. 17) — You can request deletion of your personal data. Where technically possible, data is deleted immediately and permanently.
- Right to restriction of processing (Art. 18) — You can request that we temporarily suspend processing of your data while a dispute is resolved.
- Right to data portability (Art. 20) — You can export your data directly from your dashboard, or request it via our contact form.
- Right to object (Art. 21) — You can object to processing that is based on legitimate interest.
- Right to withdraw consent (Art. 7(3)) — Where processing is based on your consent (e.g. click statistics), you may withdraw that consent at any time via your account settings. Withdrawal does not affect the lawfulness of any processing carried out before withdrawal.
11. How to Exercise Your Rights
You can exercise your rights in any of the following ways:
- Using the built-in export and deletion tools in your dashboard
- Submitting a request via our contact form
- Sending an e-mail to:
We will respond to your request within 30 days. In complex cases this may be extended by up to 2 additional months, in which case we will notify you in advance.
12. Supervisory Authority
If you believe we are not handling your personal data correctly, you have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit — GBA):
- Website: www.dataprotectionauthority.be
- Address: Drukpersstraat 35, 1000 Brussels, Belgium
13. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our services or legal obligations. The date of the most recent revision is shown below. We encourage you to review this page periodically.
Last updated: 26 May, 2026