Legal

Privacy Policy

Last updated: 10 May 2026

Attr.so("we", "our", "us") respects your privacy. This policy explains what we collect, how we use it, and the choices you have. It applies to our web application and the optional Attr.so Chrome extension.

The short version: we run a privacy-first link shortener. We never drop visitor cookies on the redirect, we do not load any third-party trackers on click, we do not sell or share your data, and you can export or delete everything you have stored with us at any time.

What we collect

Account information. Email, name, and profile image you provide at sign-up (or that your Google account provides on OAuth sign-in).
Authentication tokens. After you sign in, we issue a short-lived session token. The Attr.so Chrome extension caches this token locally so you can shorten the current tab from any page on the web without logging in twice. The token lives on your device and is sent to our API only to authenticate your own requests.
Link metadata. The destination URL you shorten, the slug you choose, the campaign and UTM parameters you tag it with, the custom domain you assign it to, and any expiration / paused-redirect / blocked-country settings you configure.
Click events. When someone follows one of your shortlinks, we record the click timestamp, an approximate country (derived from the visitor IP at edge), the device class (desktop / mobile / tablet), the browser user-agent string, and the HTTP referrer header (when the browser sends one). We use the IP only to derive country and for short-window abuse detection - the raw IP is dropped from the analytics row within 30 days.
Billing. Handled by Stripe on our web app. We do not see or store your card details.
Account login activity. When you sign in or sign out of the dashboard, we record the timestamp, IP address, browser user-agent, and approximate country so you can detect unauthorised access. We do not sell or share this data.

What we do NOT collect on the redirect

The redirect is the part of a link shortener that has the most contact with your visitors, so we treat it conservatively. Attr.so does not:

Drop any cookies on the visitor's browser.
Load Google Analytics, Facebook Pixel, or any third-party ad-tech beacon.
Fingerprint the visitor with canvas / WebGL / font-stack tricks.
Store the visitor's exact IP beyond a 30-day window (country only after that).
Store the visitor's precise location - country is the most granular signal we keep.

How we use it

Link metadata and click events power the analytics on your dashboard - click counts, country breakdowns, top referrers, campaign rollups, and the data quality score that flags obvious bot traffic. We use anonymised, aggregated counts to understand product usage in aggregate. We do not sell, rent, or share your data with third parties for advertising or profiling.

Where your data is stored

Attr.so runs on Vercel (application hosting) and Supabase (database) with Cloudflare for DNS and edge protection. Our default project regions are not EU-only today. If EU data residency is a hard requirement for your team, please contact privacy@attr.so before signing up - EU residency on a dedicated Supabase project is on the roadmap for Expert and Enterprise plans, and we will be transparent about timing rather than pretend it ships today. The full subprocessor list is on the Security page.

Chrome extension

The Attr.soChrome extension is the optional client that adds a one-click "Shorten this tab" button to your browser toolbar. Because browser extensions warrant an explicit data disclosure, here is exactly what it does and does not handle.

Data the extension sends to our servers:

The current tab URL - but only at the moment you click "Shorten this tab". No background reading, no keystroke logging.
Your cached session token, attached as an Authorization header so our API knows which account is making the request.

Data the extension stores locally on your device (in chrome.storage, not transmitted anywhere):

Your cached session token.
Your theme preference (light or dark).
Your default account / workspace selection.
Your default UTM source / medium presets.

Data the extension does not collect:

Web browsing history. The extension does not record which pages you visit, page titles, time-on-page, or any cross-site activity. The current tab URL is read on demand only when you click the button.
Location. We do not access GPS, device location, or derive geolocation from your IP beyond the approximate country recorded in the login activity log above.
Personal communications. We do not read your emails, texts, DMs, or any chat conversation content. The extension never reads the contents of any input field on any page.
Financial information. The extension never handles card numbers, transactions, or credit data. All billing runs through Stripe on our web app.
Health information. Never collected.
Keystrokes, clicks, or mouse movement on any page.

We do not sell or transfer user data to third parties outside of approved subprocessors (see the Security page for the full list). We do not use your data for advertising, profiling, or creditworthiness scoring.

Your data, your control

You can delete any link from the Links page (this also drops its click history).
You can export every link and click as CSV from the Links and Analytics pages.
You can disconnect a custom domain at any time from Settings › Domains.
You can delete your account from Settings. This removes all stored links, click events, campaigns, bio pages, and account data.

Security

Data is stored on Supabase (Postgres) with row-level security so only the right account can read its own records. Traffic is encrypted with TLS 1.3. Authentication uses short-lived session tokens, MFA, and passkeys (WebAuthn). See the Security page for the full list of controls and subprocessors.

Cookies

We use essential cookies on the dashboard for authentication and a theme preference cookie. The redirect itself drops zero cookies on the visitor. We do not use third-party advertising or tracking cookies anywhere.

Changes to this policy

If we make material changes, we will update the date above and, for signed-in users, show a notice on your next visit.

Contact

Questions? Email privacy@attr.so or see our Terms of Service.