Privacy Policy
1. Introduction & Data Controller
bzz.nu is a registered trade name of Junovy, a business registered in Amsterdam, The Netherlands under Chamber of Commerce (KvK) number 71813977. This Privacy Policy explains what personal data we process when you visit bzz.nu, use the dashboard at dashboard.bzz.nu, or interact with short links created on our platform.
Junovy is the data controller responsible for your personal data under the General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”).
Registered address: [protected address], The Netherlands
Chamber of Commerce (KvK): 71813977
Privacy contact: [protected email]
Junovy is a small Dutch business and is not required to appoint a Data Protection Officer under Article 37 GDPR: we do not carry out large-scale systematic monitoring of individuals, nor do we process special categories of personal data on a large scale. All privacy questions, data subject requests, and breach reports should be sent to the privacy contact above, which is handled by the person responsible for bzz.nu.
2. Information We Collect
We collect only what we need to run the service, keep it secure, and comply with the law. The data we process falls into three categories: data you provide, data we collect automatically, and analytics generated when people interact with your links.
2.1 Personal Data You Provide
When you create a bzz.nu account or use the dashboard, we collect:
- Name or display name (optional — used only to personalise the dashboard)
- Email address (required — for account recovery, security notifications, and transactional email)
- Authentication credentials — authentication is handled by our identity provider (Keycloak) at
auth.junovy.com. bzz.nu does not see or store your password. Keycloak stores a salted hash, never the plaintext. - Short link configuration — the long URLs you shorten, custom slugs, expiry settings, and tags you add
- Micro-site content — any text, links, and images you upload to build your micro-site page
- Support correspondence — if you email us, we keep that correspondence so we can follow up
2.2 Automatically Collected Data
When you visit bzz.nu, the dashboard, or follow a short link, our servers automatically log some technical information. This is standard for any web service and is necessary to operate it securely.
- Hashed IP address. Before any IP address is written to our database, it is combined with a secret server-side salt (configured via the
ANALYTICS_SALTenvironment variable) and hashed using SHA-256. We store only the hash. We never persist your raw IP address to long-term storage. The salt is held only in our secrets manager, is never logged, and is rotated when we redeploy the service, which means older hashes cannot be linked to newer ones across rotations. - User agent string — the browser and operating system name sent by your browser (for example,
Mozilla/5.0 (Macintosh)...). - Referrer — the previous page URL, when your browser sends one.
- Do Not Track (DNT) signal. If your browser sends
DNT: 1, we still record the event (because we use it for aggregate analytics only) but we flag it in our database so you can see that the signal was received. We do not use DNT-flagged events for anything other than counting. - Request metadata — the short link slug, timestamp, and HTTP response status. This is stored in server logs and kept for 90 days.
2.3 Link & Micro-Site Analytics
Every time someone follows one of your short links, or visits one of your micro-site pages, we record an analytics event. This lets us show you click counts and basic statistics in your dashboard.
An analytics event contains:
- The short link or micro-site identifier
- A timestamp
- The SHA-256 hash of the visitor’s IP address (salted, as described in § 2.2)
- The user-agent string
- The referrer, if present
- A boolean flag indicating whether the browser sent
DNT: 1
We do not use cookies, fingerprinting, or third-party tracking pixels to identify visitors. Because IP addresses are hashed with a rotating salt, we cannot look at an analytics event and tell you who clicked the link; we can only tell you how many distinct hashes clicked it during the retention window.
3. Legal Basis for Processing
Under GDPR, we process your personal data on the following legal bases:
- Contractual necessity (Article 6(1)(b) GDPR) — to create and operate your account, store the links and micro sites you create, and provide the service you signed up for.
- Legitimate interests (Article 6(1)(f) GDPR) — to keep the service secure, prevent abuse and fraud, enforce rate limits, and calculate aggregate analytics for the links you own. We have balanced these interests against the privacy impact and concluded that hashing IP addresses before storage, combined with short retention windows, is a proportionate measure.
- Legal obligation (Article 6(1)(c) GDPR) — when we are required to retain or disclose data under Dutch or EU law (for example, in response to a valid court order, or to comply with our DSA Article 16 notice-and-action obligations).
- Consent (Article 6(1)(a) GDPR) — for any processing we introduce in the future that is not covered by the above, we will ask you first and you will be free to refuse.
4. How We Use Your Data
We use the data we collect to:
- Resolve short links — look up the target URL in our database so we can send your visitors to the right place.
- Render micro-site pages with the content you uploaded.
- Show you click counts and aggregate statistics in your dashboard.
- Enforce per-IP rate limits on the public
/:slugendpoint so that a single client cannot overwhelm the service. The rate limiter uses the hashed IP as its key. - Detect and prevent fraud, abuse, phishing, and other violations of our Acceptable Use Policy.
- Respond to your support requests, privacy requests, and security reports.
- Send you service notifications (password resets, important security updates, changes to these policies).
- Comply with our legal obligations, including responding to valid notice-and-takedown requests under the EU Digital Services Act.
We do not use your data to build advertising profiles, train machine-learning models, or sell to third parties. bzz.nu has no ads and no behavioural targeting.
5. Cookies
The marketing site at bzz.nu sets no cookies at all. Only the authenticated dashboard at dashboard.bzz.nu uses cookies, and only strictly necessary ones required to keep you signed in and protect you against cross-site request forgery.
A full list of cookies, their purposes, and retention periods is available in the Cookie Policy. Because we only use strictly necessary cookies, we do not require a consent banner (these cookies are exempt under the ePrivacy Directive Article 5(3)).
6. Data Sharing & Third Parties
We never sell your personal data. We share it only with a small number of carefully-selected processors who help us operate the service. Each of them has signed a Data Processing Agreement (DPA) with us under Article 28 GDPR and is bound to process data only on our instructions.
6.1 Data Processors
| Processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Cloud infrastructure, virtual machines, cloud database, object storage (for micro-site avatars), and primary authoritative DNS for bzz.nu. | Germany (EU) |
| BunnyWay d.o.o. (Bunny.net) | Secondary authoritative DNS for bzz.nu, operated as a backup to our primary DNS provider. | Slovenia (EU) |
| Mailjet SAS | Transactional email delivery (password resets, account notifications, support replies). | France (EU) |
| Internet Security Research Group (Let’s Encrypt) | TLS certificate issuance and renewal. No personal data is shared; only domain names. | United States (essential infrastructure, no personal data) |
Each of these processors has signed a Data Processing Agreement (DPA) with us under Article 28 GDPR. None of them are permitted to use the data they process for their own purposes. We do not use any analytics, advertising, or customer-data platforms. There is no Google Analytics, no Meta pixel, no Segment, no Mixpanel.
6.2 Disclosures Required by Law
We may disclose personal data if compelled to do so by a valid legal process issued by a competent Dutch or EU authority, or where disclosure is necessary to protect the rights, property, or safety of Junovy, our users, or the public. We will narrowly scope any such disclosure to the minimum necessary and, where legally permitted, notify you.
7. International Data Transfers
The personal data we process is stored within the European Union. Our infrastructure runs on Hetzner data centres in Germany; our transactional email is routed through Mailjet servers in France; our authoritative DNS is served from Hetzner (Germany) and Bunny.net (Slovenia). The only non-EU service we rely on is Let’s Encrypt for TLS certificates. No personal data is transferred to Let’s Encrypt: certificate issuance involves only the public domain name (bzz.nu), which is not considered personal data in this context and which is in any case published in the public Certificate Transparency logs required by all major browsers.
If we ever need to transfer personal data outside the EU, we will do so only on the basis of an adequacy decision under Article 45 GDPR or appropriate safeguards under Article 46 GDPR (such as Standard Contractual Clauses), and we will update this policy before doing so.
8. Data Retention
We keep data only for as long as we need it. Specific retention periods for bzz.nu are:
| Data | Retention |
|---|---|
| Account profile (name, email) | Life of the account + 30 days after deletion |
| Short-link records | Until you delete them, or 30 days after account closure |
| Micro-site content and assets | Until you delete them, or 30 days after account closure |
| Analytics events (with hashed IP) | 12 months in raw form, then aggregated |
| Server access logs (Traefik) | 90 days |
| Support correspondence | 3 years after last contact |
| Database backups | 30 days rolling |
| Billing records (if applicable) | 7 years (Dutch tax law) |
When the retention period ends, data is deleted from active systems. It may persist in backups for up to 30 additional days before rolling off.
9. Your Rights Under GDPR
You have the right to:
- Access (Article 15) — request a copy of the personal data we hold about you.
- Rectification (Article 16) — ask us to correct inaccurate data.
- Erasure (Article 17) — ask us to delete your data (“right to be forgotten”).
- Restriction (Article 18) — ask us to pause processing while a dispute is resolved.
- Portability (Article 20) — receive your data in a structured, machine-readable format.
- Object (Article 21) — object to processing based on legitimate interests.
- Withdraw consent (Article 7(3)) — at any time, for any processing based on consent.
- Lodge a complaint — with your national data protection authority.
For a plain-language guide, see Your Rights. To exercise any of these rights, email [protected email]. We will respond within one month (Article 12(3) GDPR).
10. Security & Privacy by Design
Privacy by design and by default (Article 25 GDPR) is built into bzz.nu from the ground up. Concretely, this means we hash visitor IP addresses with a rotating server-side salt before writing them to disk, we host all personal data inside the European Union, and we use no third-party analytics, advertising, or tracking vendors of any kind. These choices are architectural: they cannot be toggled off, and they apply to every user automatically.
We also implement the technical and organisational measures required by Article 32 GDPR, including:
- TLS 1.2+ encryption for all traffic to and from bzz.nu.
- SHA-256 hashing of IP addresses before storage.
- Encrypted backups stored in EU-based object storage.
- Role-based access control and least-privilege principles for staff access.
- Strict network segmentation between the redirect service, the API, the dashboard, and the database.
- A formal secrets management system (HashiCorp Vault) for credentials.
- Automatic dependency scanning and regular security updates.
- A documented incident response plan.
10.1 Breach notification
If a personal data breach occurs, we will notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours of becoming aware of it, in accordance with Article 33 GDPR. Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify affected users directly and without undue delay, in plain language and with a description of the likely consequences and the measures we are taking, in accordance with Article 34 GDPR.
If you believe you have found a security vulnerability in bzz.nu, please report it to [protected email]. We appreciate responsible disclosure and will acknowledge your report within one business day.
11. Children
bzz.nu is not directed at children under 16. We do not knowingly collect personal data from children under 16 without verifiable parental consent (Article 8 GDPR). If you believe we have collected such data, please contact [protected email] and we will delete it.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last Updated” date at the top of this document and, where the change affects you materially, notify signed-in users by email at least 14 days before the change takes effect. Minor changes (typo fixes, clarifications) may be made without notice.
13. Contact
Questions about this Privacy Policy, or about how we handle your data, can be sent to:
Junovy — Privacy team
[protected address], The Netherlands
Email: [protected email]
You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl or with the supervisory authority in your EU country of residence.