Privacy Policy

Last updated: 2026-03-02

1. Data Controller

The data controller for this website is:
Portalix Management UG (haftungsbeschränkt)
Thalkirchner Str. 103
81371 Munich, Germany
Email: privacy@smoio.com

2. Overview of Data Processing

Smoio is a GDPR-compliant link shortener. We process data in the following areas:

  • Registered users: Email address for authentication
  • Link analytics: Anonymized click statistics (without IP storage, without cookies)
  • Website visitors: Anonymous statistics via Simple Analytics

3. Link Analytics (Click Tracking)

When someone clicks a short link created with Smoio, we collect the following data to provide analytics for our customers:

3.1 Data Collected

Data Category Processing Storage
IP Address Temporarily for country lookup (GeoIP) NOT stored
Country Derived from IP address Only 2-character code (e.g., \"DE\")
User Agent Parsing for device/browser/OS NOT stored
Device Type Derived from User Agent Mobile / Desktop / Tablet
Browser Derived from User Agent e.g., \"Chrome\", \"Firefox\"
Operating System Derived from User Agent e.g., \"Windows\", \"iOS\"
Referrer Only domain extracted e.g., \"twitter.com\" (not the full URL)
Timestamp Time of click Stored

3.2 What We Do NOT Store

  • No IP addresses: The IP is only used temporarily in memory for country lookup and immediately discarded
  • No cookies: We do not set tracking cookies
  • No fingerprints: No browser fingerprinting
  • No user IDs: No identification of individual users

3.3 Legal Basis

Processing is based on the legitimate interest (Art. 6(1)(f) GDPR) of our customers to analyze the reach of their links. Due to data minimization (no IP storage, no cookies), the legitimate interest outweighs the interests of the data subjects.

3.4 GeoIP Database

For country lookup, we use the MaxMind GeoLite2 database. This is operated locally on our servers - no data is transmitted to MaxMind.

4. Registration and Authentication

4.1 Registered Users

When registering as a customer, we collect:

  • Email address: For login and communication (required)
  • Name: Optional, for personalization

4.2 Passwordless Login (Magic Links)

We use a passwordless login method. For each login, we send a one-time link to your email address:

  • The link is valid for 15 minutes
  • After use or expiration, the token is deleted
  • No passwords are stored

4.3 Legal Basis

Processing is necessary for contract performance (Art. 6(1)(b) GDPR).

5. Cookies

This website does not use tracking cookies. We only use technically necessary session cookies:

  • Session cookie: For authentication after login
  • CSRF token: For protection against Cross-Site Request Forgery

These cookies are HTTP-only (not readable by JavaScript), transmitted only over HTTPS, and deleted at the end of the browser session. Consent is not required for technically necessary cookies.

6. Hosting and Infrastructure

6.1 Server Hosting

Our servers are operated by:
noez GmbH
Location: Frankfurt am Main, Germany

All data remains in Germany/EU. No data is transferred to third countries.

6.2 Data Security

  • TLS 1.3 encryption for all connections
  • Daily backups
  • SSH key authentication (no password logins)
  • DDoS protection

7. Third-Party Service Providers (Data Processors)

7.1 Mailgun (Email Delivery)

For sending emails (Magic Links, notifications), we use Mailgun Technologies, Inc.

  • Processing in the EU region
  • Only email address and message content are transmitted
  • Data Processing Agreement (DPA) in place

Privacy policy: https://www.mailgun.com/legal/privacy-policy/

7.2 Cloudflare Turnstile (Bot Protection)

To protect against automated access (bots), we use Cloudflare Turnstile on the login page.

  • Cloudflare processes: Browser information for bot detection
  • No cookies are set
  • No user interaction required (unlike reCAPTCHA)
  • Data Processing Agreement (DPA) in place

Privacy policy: https://www.cloudflare.com/privacypolicy/

7.3 Simple Analytics (Web Analytics)

To analyze website usage, we use Simple Analytics (Simple Analytics B.V., Netherlands). Simple Analytics is a privacy-friendly analytics service that:

  • Does not use cookies
  • Does not collect personal data
  • Does not store IP addresses
  • Is GDPR-compliant without requiring consent

Privacy policy: https://simpleanalytics.com/privacy

8. Data Retention

Data Category Retention Period
Customer data (email, name) Until cancellation + 30 days
Click analytics Depending on plan (30 days to unlimited)
Magic Links 15 minutes (automatic deletion)
Session data 120 minutes of inactivity

9. Your Rights

You have the right at any time to:

  • Access (Art. 15 GDPR): What data do we have stored about you?
  • Rectification (Art. 16 GDPR): Correction of incorrect data
  • Erasure (Art. 17 GDPR): Deletion of your data (\"right to be forgotten\")
  • Restriction (Art. 18 GDPR): Restriction of processing
  • Data portability (Art. 20 GDPR): Export of your data
  • Objection (Art. 21 GDPR): Objection to processing

Contact for data protection inquiries:
Email: privacy@smoio.com

10. Data Processing Agreement (DPA)

For customers who use Smoio to process personal data of their end users, we provide a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR.

View and download DPA →

11. Right to Complain

You have the right to lodge a complaint with a data protection supervisory authority about our processing of personal data.

Competent authority:
Bavarian Data Protection Authority (BayLDA)
Promenade 18, 91522 Ansbach, Germany
Phone: +49 (0)981 180093-0
Email: poststelle@lda.bayern.de

12. Changes to this Privacy Policy

We reserve the right to adapt this privacy policy to comply with changed legal requirements or changes to our service. The current version can always be found on this page.

Back to Homepage