JN Short

PP 1. Who we are and scope

This Privacy Policy explains how JN Short (the “Service”) processes personal data under the EU General Data Protection Regulation (GDPR) and applicable Member State laws. It covers users who create accounts, team members, API users, and visitors who interact with links, QR codes, bio pages and hosted files created using the Service.

Definitions. “Personal data”, “controller”, “processor”, “processing” and “data subject” have the meanings set out in the GDPR. Capitalised terms not defined here have the meaning in the Terms of Service (the “Terms”).

PP 2. Controller vs processor roles

2.1 When we act as CONTROLLER. We act as controller for personal data relating to your account (e.g., profile, billing, authentication), service operations (e.g., security logs), product analytics about how the Service is used, marketing (where applicable), and communications with you (support, notices).

2.2 When we act as PROCESSOR. For Business Customers (workspaces/organisations), we act as processor for end‑user/visitor data processed on your documented instructions, e.g., link and QR interactions, campaign metadata, and hosted content analytics. Our Data Processing Addendum (DPA) governs such processing and includes security commitments and our subprocessor list. Controllers must provide their documented instructions via the Admin Console or by email to privacy@jnshort.com, as detailed in the DPA. The DPA is incorporated by reference and available at https://jnshort.com/legal/dpa.

2.3 Joint or independent controllers. Where we integrate with third‑party services you choose (e.g., analytics, ad or CRM platforms), each party will typically act as an independent controller. Please review those providers’ privacy notices.

PP 3. What we collect

We collect and process the following categories (exact data depends on features you use and your configuration):

(a) Account & Profile: name, email address, password hash or SSO identifiers, organisation/workspace, role, settings, preferred language and time zone.

(b) Billing & Payments: invoicing contact, company details (legal name, address, UIC/EIK, VAT number), transaction identifiers, plan and payment status. Payment card data is handled by our payment processor; we receive limited tokens/metadata.

(c) Service Telemetry & Logs: app and API activity logs, timestamps, IP addresses, user‑agent strings, error diagnostics, device attributes, and security signals (e.g., suspicious login indicators).

(d) Support & Communications: messages, tickets, attachments, call/chat recordings where applicable, and metadata necessary to handle your request.

(e) Analytics Events (Link/QR/Bio/Files): click or scan timestamps; short link ID and destination domain; referrer (where available); approximate geolocation (e.g., city/country) derived from IP; device/OS/browser and language derived from user agent; network characteristics; campaign parameters. We generally do not require precise locations.

(f) Cookies/SDKs: identifiers necessary to operate the Service (authentication, security, load balancing) and, with CONSENT where required, analytics and marketing cookies/SDKs. See our Cookie Policy for details and choices.

(g) Optional Custom Fields: where you choose to store contact attributes or tags in the Service, you are responsible for collecting them lawfully and keeping them up to date.

PP 4. Purposes and legal bases

We process personal data for the purposes and legal bases below:

(a) Service Delivery (CONTRACT, Art. 6(1)(b)): to create and manage accounts, authenticate users, provide features (short links, QR codes, bio pages, hosted files), provide support, and issue invoices.

(b) Security & Fraud Prevention (LEGITIMATE INTERESTS, Art. 6(1)(f); in some cases LEGAL OBLIGATION): to secure the Service, detect/prevent abuse, enforce the AUP/Terms, and protect users and the public.

(c) Product Analytics & Improvement (LEGITIMATE INTERESTS): to understand feature usage, quality and performance to improve the Service. Where law requires CONSENT (e.g., non‑essential cookies), we rely on CONSENT. Where we rely on legitimate interests for limited, privacy‑preserving first‑party analytics, we apply data‑minimisation, aggregation and opt‑out mechanisms and respect choices recorded via PP 10.

(d) Marketing & Communications (CONSENT and/or LEGITIMATE INTERESTS): to send product updates, newsletters or offers. You can OPT OUT at any time (unsubscribe link). Non‑marketing service messages are sent under CONTRACT or LEGAL OBLIGATION.

(e) Compliance (LEGAL OBLIGATION): to comply with tax, accounting and regulatory requirements, respond to lawful requests, and manage disputes.

Where we rely on LEGITIMATE INTERESTS, we perform a balancing test to ensure your interests and rights are respected. YOU HAVE THE RIGHT TO OBJECT TO PROCESSING BASED ON LEGITIMATE INTERESTS AT ANY TIME (see PP 9).

PP 5. Sharing & disclosure

(a) Subprocessors (PROCESSORS): trusted vendors that host infrastructure, send emails/SMS, provide customer support tooling, analytics, error monitoring, payments, domain/DNS services, and anti‑abuse/security. We bind them by data‑processing terms and security measures.

(b) Affiliates: entities under common ownership for service provision, support, or corporate functions, subject to appropriate safeguards.

(c) Legal Requests & Harm Prevention: disclosures to competent authorities or third parties where required by law, court/authority order, or to address imminent risk of serious harm.

(d) Business Transfers: in a reorganisation, merger, acquisition or sale, personal data may be transferred to the successor subject to this Policy and applicable law.

We do not sell personal data.

PP 6. International transfers

Where personal data is transferred outside the EEA (or UK) to a country without an adequacy decision, we use appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs) and, where applicable, UK IDTA/Addendum, along with technical and organisational measures. Copies of relevant SCCs can be requested by contacting privacy@jnshort.com, subject to redactions for confidentiality. We seek to store and process data in the EEA where feasible. We typically rely on SCC Module 2 (controller‑to‑processor) and Module 3 (processor‑to‑processor), with technical and organisational measures including encryption in transit and at rest as described in Security § 2.3.

PP 7. Retention

We retain personal data only for as long as necessary for the purposes set out above:

(a) Account & Profile: for the life of the account and up to 24 months after closure (to allow reactivation and account reconciliation), unless you request earlier deletion and legal obligations permit.

(b) Billing & Payments: typically 10 YEARS to meet statutory accounting/tax retention requirements.

(c) Service Telemetry & Security Logs: typically 12 MONTHS (shorter or longer where needed for security/investigations and legal obligations).

(d) Support Records: typically 24 MONTHS after ticket closure.

(d1) Admin audit logs: actions by workspace administrators (e.g., role changes, SSO configuration) — typically 12–24 MONTHS.

(e) Link/QR/Bio Analytics: DEFAULT 24 MONTHS, CONFIGURABLE PER WORKSPACE (e.g., 3/12/24/36 months). Aggregated or anonymised analytics may be retained longer for trend analysis.

(f) Backups: encrypted backups are kept for disaster recovery on rolling cycles (typically 30–90 DAYS).

When retention expires, data is securely deleted or irreversibly anonymised. Where deletion is delayed due to legal holds or disputes, we will restrict processing to storage only. Where a legal hold applies, we will restrict processing to storage only until the hold is lifted.

PP 8. Your rights

Subject to conditions and exceptions in the GDPR, you have the following rights:

(a) ACCESS: to obtain confirmation and a copy of your personal data.

(b) RECTIFICATION: to have inaccurate data corrected and incomplete data completed.

(d) RESTRICTION: to request we limit processing in certain circumstances.

(e) PORTABILITY: to receive your data in a structured, commonly used, machine‑readable format and transmit it to another controller.

(f) OBJECT: to processing based on LEGITIMATE INTERESTS, including profiling—WE WILL CEASE PROCESSING UNLESS WE HAVE COMPELLING LEGITIMATE GROUNDS or the processing is needed for legal claims.

(g) WITHDRAW CONSENT: where processing is based on CONSENT (e.g., non‑essential cookies/marketing), YOU MAY WITHDRAW CONSENT AT ANY TIME without affecting prior processing.

(h) COMPLAINT: YOU HAVE THE RIGHT TO LODGE A COMPLAINT with your local supervisory authority. In Bulgaria, this is the Commission for Personal Data Protection (Комисия за защита на личните данни – КЗЛД). See https://www.cpdp.bg for current contact details.

PP 9. How to exercise your rights

Contact privacy@jnshort.com with your request. We may need to verify your identity and authority (for example, if you are a team admin or acting on behalf of an organisation). We will respond without undue delay and in any event within ONE (1) MONTH, extendable by TWO (2) MONTHS for complex requests as permitted by law. If we are acting as PROCESSOR, we will forward requests to the relevant Business Customer (controller) and assist them as required by the DPA. We verify identity via email confirmation and, for organisation accounts, by confirming with a workspace administrator. Appeals concerning content decisions may also follow the DSA appeal route described in the Moderation, Notice‑and‑Action & Appeals Policy.

PP 10.1 What these technologies are

“Cookies” are small text files placed on your device by websites you visit. “Similar technologies” include web beacons/pixels, local storage, SDKs on mobile apps, and device identifiers. WE USE COOKIES AND SIMILAR TECHNOLOGIES TO OPERATE THE SERVICE, KEEP IT SECURE, REMEMBER YOUR PREFERENCES, MEASURE PERFORMANCE AND—WITH YOUR PRIOR CONSENT WHERE REQUIRED—TO IMPROVE THE SERVICE AND SUPPORT MARKETING.

PP 10.2 Categories we use

(a) STRICTLY NECESSARY: Required to operate the Service (e.g., authentication, load balancing, fraud prevention, consent recording). These cannot be switched off in our systems and do not require consent under the ePrivacy rules.

(b) FUNCTIONAL/PREFERENCES: Remember choices such as language, theme, and region.

(c) PERFORMANCE/ANALYTICS: Help us understand usage (e.g., page views, feature adoption, error diagnostics) and improve quality and performance.

We may use proprietary first‑party analytics, or privacy‑focused providers, configured to minimise personal data.

(d) ADVERTISING/MARKETING: Measure campaigns, limit ad frequency, and show relevant information. USED ONLY WITH YOUR PRIOR CONSENT WHERE REQUIRED.

PP 10.3 Legal bases

(a) STRICTLY NECESSARY COOKIES are used under the GDPR legal bases of CONTRACT (Art. 6(1)(b)) and/or LEGITIMATE INTERESTS (Art. 6(1)(f)), and do not require consent under ePrivacy when strictly necessary for the Service you request.

(b) FUNCTIONAL, ANALYTICS AND MARKETING COOKIES/SDKs are used WITH YOUR CONSENT (Art. 6(1)(a)) where required by ePrivacy. Where consent is not required (for example, limited first-party analytics that are privacy-preserving under applicable guidance), we rely on LEGITIMATE INTERESTS with appropriate safeguards. YOU CAN WITHDRAW CONSENT AT ANY TIME (see PP 10.5).

PP 10.4 Consent management

We provide a CONSENT MANAGEMENT mechanism (the “Consent Banner”) that allows granular choices by category and, where applicable, by provider. We record your consent choices (time, scope, version and region) and honour them across our subdomains. We may periodically ask you to reaffirm your choices, for example, after material changes or expiry. For minors, VERIFIABLE PARENTAL CONSENT may be required where local law so requires. NON-ESSENTIAL COOKIES/SDKs WILL NOT BE SET UNTIL YOU GIVE CONSENT.

PP 10.5 Your choices & withdrawal

(a) MANAGE PREFERENCES: You can change or withdraw consent at any time via the “Manage Cookies” link in the footer or by clicking

Cookie Settings

(b) BROWSER/DEVICE CONTROLS: You can block or delete cookies through your browser settings. Disabling strictly necessary cookies may impair core functionality.

(c) GLOBAL PRIVACY CONTROL (GPC) / DO NOT TRACK: Where technically feasible, WE HONOUR SUPPORTED BROWSER SIGNALS such as GPC for opt-out preferences applicable to marketing/advertising cookies.

(d) MOBILE SDKs: On mobile, use your device settings to reset advertising IDs or limit ad tracking.

(e) THIRD-PARTY OPT-OUTS: Some providers offer their own opt-outs, which we link in the cookie tables where applicable.

PP 10.6 First-party vs third-party; duration

Cookies may be set by us (FIRST-PARTY) or by third parties (THIRD-PARTY) when their services are embedded in or used by the Service. Cookies may be SESSION (expire when you close the browser) or PERSISTENT (remain until they expire or are deleted). OUR COOKIE TABLES (APPENDIX A) STATE TYPICAL DURATIONS.

PP 10.7 Custom domains, bio pages & hosted files

If you serve content via CUSTOM DOMAINS or BIO PAGES or use our HOSTED FILES features, YOU ARE RESPONSIBLE for any cookies or trackers you choose to deploy on those destinations, including obtaining CONSENT where required and providing your own privacy/cookie disclosures to your visitors. Where we provide first-party analytics on such pages, we do so in accordance with this Policy and your configuration.

PP 10.8 Data minimisation & privacy safeguards

We strive to minimise personal data in our analytics (e.g., using aggregated metrics, truncating IPs where feasible, and limiting retention). We do not use precise geolocation for analytics unless you enable a feature that requires it and obtain any required consent.

PP 10.9 Changes to our use of cookies

We may update our cookie categories, providers, or lifetimes. MATERIAL CHANGES WILL BE REFLECTED IN THE COOKIE TABLES AND, WHERE REQUIRED, WE WILL SEEK FRESH CONSENT.

PP 11. Children

The Service is not directed to children. Where national law sets an age for consent between 13 and 16, we comply accordingly. Where minors lawfully use the Service, verifiable parental consent and supervision are required.

PP 12. Security

We implement appropriate TECHNICAL AND ORGANISATIONAL MEASURES (Art. 32 GDPR), including encryption in transit and at rest where applicable, access controls, logging and monitoring, vulnerability management, secure development practices, and employee confidentiality obligations. No system is 100% secure; you are responsible for keeping your credentials safe and implementing team access controls.

PP 13. Automated decision‑making & profiling

We do not carry out automated decision‑making that produces legal effects concerning you or similarly significantly affects you within the meaning of Art. 22 GDPR. We may use limited profiling for security (e.g., fraud signals) and service analytics. YOU MAY OBJECT TO PROFILING BASED ON LEGITIMATE INTERESTS (see PP 8(f)).

PP 14. Sources of personal data

In addition to data you provide, we may receive personal data from: (a) devices and browsers (e.g., user agent, IP, language, time zone); (b) administrators of your organisation; (c) providers you connect (SSO, domain/DNS, analytics or CRM tools); and (d) anti‑abuse/security partners and public sources where necessary for fraud prevention and compliance.

PP 15. International users

If you access the Service from outside the EU/EEA, your data may be processed in the EU/EEA and other countries as described in PP 6. For UK residents, references to the GDPR include the UK GDPR and the UK Data Protection Act 2018.

PP 16. Changes to this policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. WE WILL PROVIDE ADVANCE NOTICE FOR MATERIAL CHANGES where required. The effective date appears at the top of the Policy, and an archive of prior versions will be maintained.

PP 17. Contact

Privacy contact: privacy@jnshort.com.

General support: support@jnshort.com.

Supervisory Authority (Bulgaria): Commission for Personal Data Protection (КЗЛД) — see https://www.cpdp.bg.