Privacy Policy

Last updated: 5 July 2026

This Privacy Policy explains how Ashley Lavery ("we", "us", "our") collects, uses, and protects your personal data in connection with ash.tf (the "Service"), a URL shortening service.

We are the data controller for the personal data described below. You can contact us at support@ash.tf.

We process personal data in accordance with UK data protection law, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018, as amended by the Data (Use and Access) Act 2025) and the Privacy and Electronic Communications Regulations 2003 (PECR).

1. Who this policy applies to

The Service involves two groups of people:

  • Registered users - people who have created an account on the Service.
  • Visitors - people who visit the Service but do not create an account. This includes people who click on a shortened link created by a registered user. We process limited data about visitors in order to redirect them and to provide click analytics to the user who created the link.

This policy covers both groups.

2. The personal data we collect

For registered users:

  • Account data - your email address, display name, and (where you set one) a securely hashed password.
  • Third-party sign-in data - if you choose to sign in using a third-party provider such as Google or GitHub, we receive certain profile information from that provider, typically your email address, name and a unique account identifier. We use this to create and authenticate your account. We do not receive your password for the third-party account.
  • Content data - the destination URLs you shorten, any custom slugs, and related settings.
  • Usage and technical data - log data such as IP address, browser type and user-agent, device information, and timestamps of your activity.
  • Analytics and monitoring data - when you use our web application, our self-hosted analytics and monitoring tools collect data about how the application is used and how it performs. This includes IP address and browser information (processed transiently to produce aggregated usage metrics), application performance data, error reports, browser and device information, and pseudonymous session identifiers.

For visitors:

  • Click data - IP address, browser/user-agent, approximate geographic location (such as city or region) inferred from IP address, referrer, and the time of the click, recorded when a shortened link is followed. The analytics we show to the user who created a link are aggregated statistics (such as click counts, referrers, browser types and approximate locations); we do not expose your IP address to link creators.
  • Analytics and monitoring data - if you browse the pages of our web application (as opposed to simply following a shortened link, which does not involve our web application), the analytics and monitoring described for registered users above also apply to you.

We do not intentionally collect special category data (e.g. data about health, race, religion). Please do not submit such data through the Service.

3. How and why we use personal data, and our lawful bases

We only use your personal data where we have a lawful basis to do so under UK GDPR. The table below sets out what we use personal data for and the lawful basis we rely on for each purpose.

PurposePersonal data usedLawful basis
Creating and authenticating your account, including sign-in via a third-party providerAccount data; third-party sign-in dataPerformance of a contract with you
Providing the core Service: shortening URLs, storing your links and settings, redirecting visitors, and providing click analytics to the user who created a linkContent data; usage and technical data; visitor click dataPerformance of a contract (for registered users); our legitimate interests in operating the redirect service and providing link creators with analytics about their links (for visitor click data)
Keeping the Service secure and preventing abuse, fraud, malware and misuse, including scanning shortened links and their destinations — which may involve third-party scanning or threat-intelligence servicesContent data; usage and technical data; visitor click dataOur legitimate interests in protecting the Service, our users and the public; and compliance with a legal obligation where applicable
Understanding how the Service is used, using our self-hosted Umami analytics, which does not use cookies or store or access any information on your deviceIP address and browser information, processed transiently to produce aggregated usage statistics; the aggregated statistics themselves do not identify youOur legitimate interests in understanding and improving how the Service is used
Monitoring the application's performance and errors, using our self-hosted Grafana Faro, which uses session storage on your deviceApplication performance data; error reports; browser and device information; pseudonymous session identifiersConsent, which you can withdraw at any time
Communicating with you about your account, support requests, and significant changes to the Service or our policiesAccount dataPerformance of a contract; and our legitimate interests in administering the Service
Complying with our legal obligations, responding to lawful requests, and establishing, exercising or defending legal claimsAny of the above, as relevantCompliance with a legal obligation; and our legitimate interests in protecting our rights

Where we rely on legitimate interests, we have considered whether those interests are overridden by your own interests, rights and freedoms, and we limit the data we use to what is necessary for the purpose. For visitor click data in particular, our interest is in operating the redirect and giving the link creator analytics about their own links; this processing happens server-side and does not involve storing information on, or gaining access to information already stored on, your device. You can ask us more about this balancing exercise using the contact details below.

Where we rely on consent (our Grafana Faro performance and error monitoring), we ask for it when you first use the web application, and you can give or withdraw it at any time using the monitoring consent control in the application. Withdrawing consent does not affect processing carried out before withdrawal. Our Umami analytics does not rely on consent because it uses no cookies and does not store or access any information on your device; it is covered by our legitimate interests, and you can object to it at any time using the contact details below.

4. Cookies, analytics and similar technologies

We aim to keep our use of cookies and device storage to a minimum. Under PECR, anything that is not strictly necessary is used only with your consent.

  • Strictly necessary cookies - used for authentication, session management and security. These are required for the Service to function and do not require consent.
  • Analytics - we use self-hosted Umami to generate privacy-focused usage statistics about the Service. Umami does not use cookies and does not store or access any information on your device, so it does not require, and cannot be enabled or disabled through, a consent choice. We rely on our legitimate interests for this processing, and you can object to it using the details in section 8.
  • Performance and error monitoring - we use self-hosted Grafana Faro to collect application performance, diagnostic and error information, including browser and device information, performance metrics, and pseudonymous session identifiers. Because Faro uses session storage on your device, we use it only with your consent. We ask for this consent when you first use the web application, and you can give or withdraw it at any time using the monitoring consent control in the application.

We do not use any third-party advertising or cross-site tracking technologies.

5. Sharing your data

We do not sell your personal data. Our analytics and monitoring are self-hosted, so this data is not shared with any third-party analytics provider. We share personal data only with:

  • Service providers (processors) acting on our instructions, such as our hosting, database and email providers.
  • Abuse-detection and security providers - to detect and prevent abuse, malware, phishing, and other harmful or unlawful activity, we may share shortened links and their destination URLs, along with limited related technical data, with third-party scanning or threat-intelligence services. These providers process this data on our behalf or as part of providing their security service to us.
  • Third-party authentication providers - if you sign in using Google or GitHub, you interact directly with that provider to authenticate. The provider will know that you are signing in to our Service, and its handling of your data is governed by its own privacy policy (Google: policies.google.com/privacy; GitHub: docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement). These providers act as independent controllers for the data they hold about you.
  • Authorities or third parties where required by law, or to investigate or prevent abuse, fraud or harm.

6. International transfers

Personal data processed by the core Service is hosted within the European Union / European Economic Area (EEA).

Although the Service is operated from the UK, the EEA is covered by the UK's data adequacy regulations, which means personal data can be transferred from the UK to the EEA without the need for additional transfer safeguards.

Where we use third-party services to scan links for abuse (see sections 3 and 5), some of those providers may be located outside the UK and EEA, including in the United States. Where personal data is transferred outside the UK and EEA, we ensure an appropriate safeguard is in place, such as adequacy regulations covering the destination country, the UK Extension to the EU–US Data Privacy Framework, or the ICO's International Data Transfer Agreement (or the UK Addendum to the EU Standard Contractual Clauses). Other than as described here, we do not routinely transfer personal data outside the UK and EEA.

7. How long we keep data

We keep personal data only as long as necessary for the purposes above.

  • Account data - for as long as your account is active, and for up to 90 days after account closure unless a longer retention period is required for legal, security, fraud-prevention or dispute-resolution purposes.
  • Shortened links and their analytics - shortened links, and the aggregated click statistics shown to the link creator, are kept for as long as the link is active, or until you delete it. The underlying individual click records containing IP addresses are kept for no more than 60 days, after which only aggregated statistics remain.
  • Server and access logs - typically retained for 60 days for security and troubleshooting.
  • Application analytics and monitoring data - data collected by our Umami analytics and Grafana Faro monitoring is typically retained for up to 60 days.

8. Your rights

Under UK GDPR you have the right to:

  • access a copy of your personal data;
  • have inaccurate data corrected;
  • have your data erased in certain circumstances;
  • restrict the processing of your personal data;
  • object to certain processing;
  • receive your personal data in a portable format;
  • withdraw consent at any time where processing is based on consent; and
  • not be subject to decisions based solely on automated processing where applicable.

We may scan links and their destinations to detect abuse, and this may flag links or accounts for attention. Where we disable, remove or suspend a link or account, this involves human review — we do not make decisions that produce legal or similarly significant effects about you based solely on automated processing.

To exercise any of these rights, contact us at support@ash.tf. We will respond within one month, though we may extend this where a request is complex. There is normally no charge.

9. Complaints

If you are unhappy with how we have handled your personal data, you can complain to us directly at support@ash.tf. We will acknowledge your complaint within 30 days and work with you towards a resolution.

You also have the right to complain to the Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Helpline: 0303 123 1113

We would, however, appreciate the chance to address your concerns before you approach the ICO.

10. Security

We take reasonable technical and organisational measures to protect personal data, including hashing passwords, restricting access, and securing data in transit. No system is completely secure, so we cannot guarantee absolute security.

11. Children

The Service is intended for users aged 18 and over. We do not knowingly collect personal data from children.

12. Changes to this policy

We may update this policy from time to time. We will update the "Last updated" date and, where changes are significant, take reasonable steps to notify registered users.

13. Contact

If you have any questions about this Privacy Policy, please contact us at support@ash.tf.

We value your privacy

We use essential cookies to run ash.tf. With your consent we also use privacy-friendly analytics to understand how the service is used. Privacy Policy