Privacy Policy

EU.PE ("we", "us", "our") is a professional URL shortening and link management service for business users, operated by Digital Marketing Agency ROMBEY (sole proprietorship, owner: Christopher Rombey). We take the protection of your personal data very seriously and comply with the European General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), the German Telecommunications Digital Services Data Protection Act (TDDDG), and other applicable data protection laws.

This privacy policy informs you about how we collect, use, share, and protect personal data when you visit our website, use our service, or when individuals click on links managed through our service.

Data controller within the meaning of the GDPR:

Digital Marketing Agency ROMBEY
Owner: Christopher Rombey
Theodor-Körner-Str. 29
41812 Erkelenz
Germany

For data protection inquiries, you can reach us at:

Email: privacy@eu.pe
Mail: Digital Marketing Agency ROMBEY, Attn. Data Protection, Theodor-Körner-Str. 29, 41812 Erkelenz

Role distribution under the GDPR:

• For personal data that we collect directly (e.g., account information, website visits), we act as the Data Controller (Art. 4(7) GDPR).
• For data that we process on behalf of our business customers (e.g., information about individuals who click on their links), we act as a Data Processor (Art. 4(8) GDPR) according to their instructions.

Competent supervisory authority:

State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (LDI NRW)
Postfach 20 04 44, 40102 Düsseldorf
https://www.ldi.nrw.de

When you register for an account or purchase a plan, we collect information provided by you:

• Contact information: Name, company name, business address, and email address. We may also collect a phone number for support or verification purposes, if provided.
• Login credentials: Username and password (passwords are stored exclusively in cryptographically hashed form and are not accessible to us).
• Billing details: Legal company name, billing address, VAT ID (if applicable) for invoicing purposes.
• Payment information: Payment data is collected and processed through CopeCart GmbH (Rosenstr. 2, 10178 Berlin, Germany). CopeCart acts as a reseller (Wiederverkäufer) and serves as the contractual partner for payment processing and invoicing during the order process. We do not store complete credit card numbers or bank details. We only receive payment confirmations and basic details such as payment method, transaction ID, and payment status.
• Affiliate program data: If you join our affiliate program, we collect your affiliate account details (such as payout information, e.g., PayPal email) and track referrals generated by you.
• Communications: When you contact support through our helpdesk ticket system or reach us by email, we collect your contact details and all information you provide in the inquiry.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) or pre-contractual measures.

Whenever our service is used -- either by you as a logged-in customer creating links, or by an end user clicking on a shortened link, scanning a QR code, or viewing a "link-in-bio" page -- we automatically collect data about this interaction. This may include personal data of the link visitor. Specifically, for each link access we collect:

• IP address: The IP address of the device used.
• Geolocation: An approximate location (country, region, city) derived from the IP address (we do not determine exact addresses). This is used for analytics and features such as geo-targeting.
• Date and time: Timestamp of the click or visit, used for time-based analytics and to distinguish visits.
• Device and browser information: Information from the browser's user agent string, such as browser type (e.g., Chrome), version, operating system (e.g., iOS, Windows), and device type (mobile/desktop). We also capture the browser language setting.
• Referrer URL: If available, the URL of the page that led the user to the short link.
• Unique identifier (cookie ID): We may set a first-party cookie when a user clicks on a link to recognize returning visitors (see Section 3.3).
• Interaction details: If a link has special settings, we log the outcome (e.g., A/B testing variants, deep linking, geo-targeting rules).

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) -- our legitimate interest lies in providing the core analytics functionality for our business customers as well as in security and abuse prevention.

We exclusively use technically necessary first-party cookies. No third-party cookies are used. A cookie consent banner is therefore not required (Section 25(2) TDDDG).

Specifically, we use the following cookies:

Legal basis: Section 25(2) TDDDG -- these cookies are strictly necessary for us to provide the service you have expressly requested. Consent is not required for this purpose.

You can delete or block cookies at any time through your browser settings. Please note that disabling technically necessary cookies may limit the functionality of our service.

Our servers automatically maintain logs of incoming requests. These logs contain the data mentioned in Section 3.2 (IP address, timestamp, user agent, etc.) for each request to our system (including API calls). We use these logs for debugging, security monitoring, and maintaining service integrity. Log data is routinely deleted or anonymized after 14 days, unless required for security analysis.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) -- security and stability of our systems.

Where we rely on legitimate interests, we have conducted a balancing test and determined that our interests do not override the rights of the data subjects. You have the right to object to processing based on legitimate interests at any time (see Section 8).

Note on marketing emails:

We occasionally send product updates, offers, or newsletters to the email addresses of our existing customers. Every marketing email includes a simple opt-out option. Non-customers only receive marketing emails after explicit consent (opt-in).

We handle your data with care and do not sell personal data. We only share data in the following situations:

5.1 With the Business Customer (Link Creator)

If you as an end user click on a shortened link, certain analytics information about your click becomes visible in the link creator's dashboard. This consists of aggregated statistics (e.g., "100 clicks from Berlin, Germany" or "60% mobile users"). We do not share your raw IP address, name, or email address directly with the business customer.

Note: The business customer who uses our service to collect analytics about link visitors is considered an independent Data Controller for this visitor data. We act as a Data Processor in this regard (see Section 9).

5.2 Within Our Organization

Personal data is only accessed by authorized personnel who need it to fulfill their duties. All employees and contractors are bound by confidentiality and data protection obligations.

5.3 Service Providers (Data Processors)

We use carefully selected third-party service providers with whom we have concluded data processing agreements pursuant to Art. 28 GDPR:

All other services (email sending, helpdesk/ticket system, affiliate management) are operated on our own infrastructure. No external service providers are used for these purposes.

5.4 Legal Disclosures

We may disclose personal data to law enforcement agencies, regulatory authorities, courts, or other bodies when we are legally required to do so or when it is necessary to enforce our rights, protect our safety, or the safety of others.

Legal basis: Art. 6(1)(c) GDPR (legal obligation) or Art. 6(1)(f) GDPR (legitimate interest).

5.5 Business Transfers

If our company is involved in a merger, acquisition, or sale of assets, personal data may be transferred to the parties involved. We will inform you in advance in such a case.

We do not sell or rent your personal data to third-party marketers. Any sharing occurs only as described above.

We are based in Germany and store and process all data exclusively on servers in Germany. Our service providers (Serverprofis GmbH and CopeCart GmbH) are likewise based in Germany.

We do not actively transfer personal data to third countries outside the EU or EEA. We will continue to use exclusively service providers based in the EU.

We retain personal data only for as long as necessary for the respective purposes or as required by statutory retention obligations:

After the respective retention period expires, personal data is securely deleted or irreversibly anonymized.

Where the GDPR applies, you have the following rights:

Important: Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.

Automated decision-making: We do not make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you (Art. 22 GDPR).

To exercise your rights, contact us at privacy@eu.pe. We will verify your identity and respond within one month (Art. 12(3) GDPR). In complex cases, this period may be extended by a further two months, of which we will inform you.

Right to lodge a complaint:

You have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is:

State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (LDI NRW)
Postfach 20 04 44, 40102 Düsseldorf
https://www.ldi.nrw.de

For most data processing activities, we have a dual role:

• As Data Controller: For data about our direct customers and website visitors, we determine the purposes and means of processing.
• As Data Processor: For data that our customers collect through their use of our service (e.g., information about individuals who click on their links), we act on behalf of the customer.

We offer our business customers a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR. The DPA can be viewed and digitally signed directly in the customer profile on our platform. It governs:

• Nature, purpose, and duration of processing
• Type of personal data and categories of data subjects
• Our technical and organizational measures (TOMs)
• Our obligations as a data processor
• Regulations regarding sub-processors
• Deletion and return of data after contract termination

We implement appropriate technical and organizational measures (TOMs) pursuant to Art. 32 GDPR:

• Encryption: HTTPS/TLS encryption for all data transmissions (website, API, redirects). Encryption of sensitive data at rest.
• Access controls: Firewalls, role-based access controls -- only authorized personnel have access to systems containing personal data.
• Password security: Cryptographic hashing of all passwords (bcrypt/Argon2).
• Regular updates: Timely security patches and software updates.
• Backups: Regular, encrypted data backups.
• Monitoring: Monitoring for suspicious activities with defined incident response processes.
• Two-factor authentication: For administrative access to our systems.
• Server location Germany: All data is stored on servers in Germany.

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours (Art. 33 GDPR) and inform affected individuals without undue delay if a high risk exists (Art. 34 GDPR).

Our service is intended exclusively for business customers and is not designed for use by minors. We do not knowingly collect personal data from individuals under the age of 18. Should we become aware that a minor has submitted personal data to us, we will delete it without undue delay. Please contact us at privacy@eu.pe if you believe that data of a minor has been collected.

We may update this privacy policy from time to time to reflect changes in our service, our data processing practices, or legal requirements.

In the event of material changes, we will:

• Post a prominent notice on our website
• Inform registered account holders by email
• Update the "Last updated" date at the top of the page

Continued use of the service after the publication of changes constitutes acknowledgment of the revised policy. We recommend that you review this privacy policy regularly.

If you have questions, concerns, or requests regarding this privacy policy or the processing of your personal data:

We are happy to assist you and will handle your inquiry as promptly as possible.