orphl.ink
Get started

Legal

Privacy

Draft — illustrative only. This page describes our intent, not a binding agreement. For the version currently in force, contact hello@orphl.ink.

Last updated: 17 May 2026

In plain English

OrphLink is a link shortener and proxy service. We process: short-link metadata you create, click events on your links, account email and password, and (if you use API keys) API key prefixes. We do not use client-side trackers, fingerprinting, or third-party analytics on this marketing site.

What we collect

When you create an account we store an email address and a password hash (bcrypt-style). When you create short links we store the slug, destination URL, branding, targeting rules, and any expiry or moderation metadata you configure. When a visitor follows one of your short links we record a click event — timestamp, country (from the Cloudflare edge), device class, referrer domain, and UTM parameters — plus a fraud-detection flag for that event.

We deliberately do not store visitor IP addresses in long-term storage. The fraud detector hashes IPs into a short-lived rolling-window counter (1 hour TTL) so we can flag obvious abuse without keeping a log of who clicked what.

How we use it

  • Resolve short links and route visitors to the destination you configured.
  • Show you analytics for your own links — clicks, geography, devices, referrers.
  • Run automated content moderation on destination URLs so the platform isn't used for malware or phishing.
  • Send transactional email (sign-up confirmation, password reset, security alerts).
  • Detect and slow obvious click fraud against your links.

We do not sell data. We do not run advertising. There is no marketing-email list.

Where it lives

All data is stored on Cloudflare's UK data plane: D1 for relational data (users, workspaces, links, audit log), KV for ephemeral counters and rate limits, and R2 for workspace logo and favicon assets. The platform runs on Cloudflare Workers at the edge.

How long we keep it

  • Account data — until you delete the account, then purged within 30 days.
  • Short links — until you delete them or your account is closed.
  • Click events — aggregated rollups kept for the lifetime of the link; raw event stream pruned after 90 days.
  • Audit log — configurable per workspace (default 30 days on Free, 90 days on Pro, 1 year on Team).
  • Fraud counters — 1 hour rolling window in KV, then automatically expired.

Your rights under UK GDPR

You can request access to, correction of, export of, or deletion of your personal data. Email hello@orphl.ink and we'll respond within 30 days. You can also lodge a complaint with the ICO (ico.org.uk).

Subprocessors

  • Cloudflare — compute, storage, edge routing, DNS, TLS termination. UK region.
  • Resend — transactional email delivery (account, password reset, security).

We do not embed third-party analytics, ad networks, or session-replay tools.

Cookies

This marketing site (www.orphl.ink) sets no cookies. The product domains (orphl.ink short links, app.orphl.ink dashboard) set a small number of strictly necessary cookies. See our cookies page for the full list and the GDPR consent flow that workspace owners can enable.

Contact

Data controller: Orphnet Ltd, United Kingdom.
Privacy questions and rights requests: hello@orphl.ink.

Changes to this policy

When this policy changes materially, we'll post the update here with a new "last updated" date. If you have an account we'll email you. Continued use of OrphLink after a change means you accept the new policy.