GDPR

Your Rights, in plain language

Last Updated: 9 April 2026

The EU General Data Protection Regulation (GDPR) gives you a set of concrete rights over your personal data. This page explains each one in plain language, with bzz.nu-specific examples, and tells you exactly how to exercise it.

If you would rather read the formal version, the definitive source is our Privacy Policy § 9.

How to reach us. For any of the requests below, email [protected email] from the email address on your bzz.nu account. We will respond within one month, as required by Article 12(3) GDPR. There is no charge for a first request.

1. The right to be informed

“I want to know what you do with my data.”

You have the right to know what personal data we process, why, on what legal basis, and with whom we share it. That is what our Privacy Policy is for. We try to write it in plain language and we keep it up to date. If anything in it is unclear, please tell us — we will fix it.

GDPR Articles 13 and 14.

2. The right of access

“I want to see all the links I created and everything bzz.nu knows about me.”

You can ask us for a copy of the personal data we hold about you. For bzz.nu this typically includes:

Your account profile (email, display name, account creation date)
Every short link you have created, with its slug, target URL, creation date, and aggregate click count
Every micro site you have created, including its content and the image assets you uploaded
A summary of analytics events tied to your links (note: we cannot return raw IP addresses because we never stored them)
Any support correspondence you have had with us

How to ask: email [protected email] with the subject line [Access request]. We will reply with your data in a readable format (JSON or CSV) within one month.

GDPR Article 15.

3. The right to rectification

“Something you have about me is wrong. Please fix it.”

If any personal data we hold about you is incorrect or incomplete, you can ask us to correct it. Most account information (display name, email) can be updated from the dashboard without involving us. For anything else, email [protected email].

GDPR Article 16.

4. The right to erasure (“right to be forgotten”)

“Delete everything.”

You can ask us to delete your account and all associated data. The fastest way is to use the “Delete account” button in your dashboard. Your account is scheduled for deletion immediately, and within 30 days:

Your account profile is removed from our database.
All your short links are removed. The slugs become available for reuse by other users.
All your micro sites and uploaded assets are deleted.
Your analytics data is deleted.

Data may persist in encrypted backups for up to an additional 30 days before rolling off. Certain records (e.g. support emails, invoices) may be retained if Dutch law requires us to keep them — see Privacy Policy § 8 for exact periods.

GDPR Article 17.

5. The right to restrict processing

“Stop using my data while we sort this out.”

If you dispute the accuracy of data we hold, believe our processing is unlawful, or have objected to processing (see § 7 below), you can ask us to restrict processing while we investigate. We will mark the data as restricted and not use it until the dispute is resolved.

GDPR Article 18.

6. The right to data portability

“Give me my data in a format I can take elsewhere.”

You can ask for your data in a structured, commonly used, machine-readable format (JSON). This covers personal data you provided to us under a contract or consent (your account details, your links, your micro sites). We do not charge for this.

You can also ask us to send the data directly to another service provider, where technically feasible. (In practice, few link shorteners offer a standard import format, so this is rarely actionable — but the right exists and we will do our best.)

GDPR Article 20.

7. The right to object

“I don’t want you doing that specific thing with my data.”

You can object, on grounds relating to your particular situation, to any processing we do on the basis of “legitimate interests” (Article 6(1)(f) GDPR). For bzz.nu this mainly covers abuse prevention and aggregate analytics. If you object we will stop, unless we can show compelling legitimate grounds that override your interests or we need the data to establish, exercise, or defend legal claims.

GDPR Article 21.

8. The right not to be subject to automated decisions

“I don’t want a computer making decisions about me.”

bzz.nu does not make automated decisions that produce legal or similarly significant effects on you. We do use automated safeguards to block known phishing and malware destinations, but these operate on the destination URL, not on you as a person. If we ever introduce profiling, we will tell you first and obtain the appropriate legal basis.

GDPR Article 22.

9. The right to withdraw consent

“I changed my mind.”

Where processing is based on your consent (Article 6(1)(a) GDPR), you can withdraw it at any time. Withdrawing consent does not affect processing that happened before you withdrew. Currently we do not rely on consent for any core processing at bzz.nu — our legal bases are contract and legitimate interest — but if this changes we will make it clear.

GDPR Article 7(3).

10. The right to lodge a complaint

“I’m not happy with your answer.”

If you feel we have mishandled your personal data, you can lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or with the supervisory authority in the EU country where you live or work.

Netherlands: autoriteitpersoonsgegevens.nl
Other EU Member States: a full list is available from the European Data Protection Board.

We always appreciate the chance to fix things first — if we’ve made a mistake, email [protected email] and give us a week to make it right. But you do not have to contact us before going to the regulator, and we will not retaliate for any complaint you file.

GDPR Article 77.

Frequently asked

How do I know you actually deleted my data?

When you delete your account we remove you from active systems immediately and send a confirmation email. We cannot guarantee data has rolled off every backup until the rolling 30-day backup window has elapsed, but after that point the data is gone from our infrastructure.

Can I ask for the raw IP addresses of people who clicked my links?

No. We never store raw IP addresses. We only store SHA-256 hashes with a salted rotating key, precisely so that this kind of re-identification is not possible.

What if I am not the account holder but I think bzz.nu has my data?

Email [protected email] and describe the situation. We may need to verify your identity before responding. If you think a short link exposes your personal data, please also file a notice under our Notice and Takedown procedure.