GDPR Compliance
Anablabs SAS — DPO: dpo@anablabs.com
URLW is designed to comply with the General Data Protection Regulation (GDPR). This page details our commitments and practices.
1. Our GDPR commitment
At Anablabs, personal data protection is a priority. URLW is designed on the principle of privacy by design: we only collect data strictly necessary for the service and retain it for the minimum required time.
- 🇫🇷 Hosting exclusively in France (OVH Gravelines)
- No resale of data to third parties
- No advertising cookies or third-party trackers
- Data encrypted in transit (TLS 1.3) and at rest
2. Sub-processors
In accordance with Article 28 of the GDPR, here are our sub-processors and their roles:
| Sub-processor | Role | Location | GDPR guarantee |
|---|---|---|---|
| OVH SAS | Server hosting (VPS, database) | 🇫🇷 Gravelines, France | EU host — no transfer outside EU |
| Stripe Inc. | Payment processing | 🇺🇸 USA / 🇮🇪 Irlande (EU) | DPA signed + EU Standard Contractual Clauses |
| Amazon Web Services | Transactional email sending (SES) | 🇮🇪 eu-west-1 (Irlande) | DPA signed + EU Addendum |
3. Transfers outside the EU
Our main servers are located in France. No transfer of personal data outside the EU is made for hosting.
Email flows via AWS SES transit through the eu-west-1 region (Ireland, EU territory). Payment data processed by Stripe may transit through the USA, governed by Standard Contractual Clauses validated by the European Commission.
4. Security measures
- TLS 1.3 encryption on all communications (HTTPS mandatory)
- Hashed passwords with bcrypt (high cost factor)
- API keys with SHA-256 hashing for secure API access
- Restricted access to data: each user only accesses their own links
- Encrypted daily backups of databases
- Application firewall and rate limiting
- Security logs retained 30 days
- Regular updates of software dependencies
5. Processing register
| Processing | Legal basis | Data concerned | Duration |
|---|---|---|---|
| User account management | Contract | Email, hashed password | Duration of account |
| URL shortening service provision | Contract | URLs, short codes | Duration of account |
| Click statistics | Legitimate interest | Aggregated counters | Duration of account |
| Billing | Legal obligation | Transaction data (via Stripe) | 10 years |
| Transactional email sending | Contract | Email address | Duration of account |
| Security logs | Legitimate interest | IP, user-agent, timestamp | 30 days |
6. Breach procedure
In case of a personal data breach, Anablabs commits to:
- Notify the CNIL within 72 hours of becoming aware of the breach
- Inform affected users without undue delay if the breach is likely to result in a high risk to their rights
- Document any breach in our internal register
- Take the necessary corrective measures
To report a security vulnerability: dpo@anablabs.com
7. Right to erasure
You have the right to request the complete deletion of your account and all your personal data. The procedure is as follows:
- Send your request to dpo@anablabs.com from your account's email address
- We confirm receipt within 48 hours
- Effective deletion is carried out within 30 days
- Billing data is retained for 10 years (legal obligation)
Data deleted following an erasure request:
- ✓ User account (email, password)
- ✓ All shortened links and their statistics
- ✓ Usage history
- ✓ Associated logs (subject to legal retention period)
8. DPO contact
Our Data Protection Officer (DPO) is available for any questions regarding GDPR or the exercise of your rights:
Email: dpo@anablabs.com
Response time: within 30 days
Supervisory authority: CNIL (cnil.fr)