Legal

Privacy Policy

Statzy is a subscription SaaS platform for short links, analytics, QR codes, link-in-bio, shared reports, white-label branding, and MCP integrations. This policy explains what we collect, why, and the control you have.
Last updated · July 8, 2026

Who we are

Statzy ("we", "us", "our") operates the Statzy platform. For any privacy request, contact us at statzyhq@gmail.com. We respond within two business days.

Information we collect

Account data: email address, display name, hashed password, and (if you sign in with Google) the profile fields Google returns.

Content you create: short links, custom aliases, destination URLs, QR codes, link-in-bio pages, shared analytics reports, white-label branding assets, and MCP connection metadata.

Subscription data: plan tier (Free, Pro, Plus), billing status, renewal dates, invoice history, and the last four digits and card brand returned by our payment provider. We never store full card numbers or CVVs on our servers.

Visitor analytics: for each click on your short links or scan of your QR codes we record a rotating visitor hash, country and region (from IP, then discarded), city where available, device type, browser, operating system, language, and referrer.

Operational logs: minimal request logs used for security, abuse detection, and debugging. Retained for up to 30 days.

Why we collect it

To run the service you signed up for: authenticate you, deliver redirects, render analytics, generate QR codes, publish bio and report pages, and enforce your plan limits.

To bill your subscription, prevent fraud, and comply with financial-record obligations.

To respond to support requests, send transactional emails (receipts, renewal reminders, security alerts), and improve reliability.

We do not sell personal data. We do not build advertising profiles. We do not embed third-party trackers on your visitor redirects.

How analytics data is processed

When a visitor clicks a Statzy short link or scans a Statzy QR code, we resolve the request, record a single aggregated event, and redirect. The visitor's raw IP address is used only in-memory to derive country/city and a daily-rotating hash — it is never written to our database in plain form.

Analytics events are protected by row-level security: only the workspace that owns the link can query them. Shared reports expose aggregate data for the links you explicitly attach, and can be password-protected.

Cookies

Statzy uses only cookies and browser storage required to sign you in and remember interface preferences. See our Cookie Policy for details.

Authentication

Sessions are managed with securely signed tokens. Passwords are hashed with industry-standard algorithms and never returned to the browser. Optional social sign-in uses OAuth — we receive only the profile fields you approve.

Subscription & payment processing

Statzy is billed as a monthly subscription. Payments are processed by regulated payment providers (currently Korapay, with additional providers rolling out). Card data is entered directly on the provider's PCI-compliant checkout — Statzy only receives a tokenised reference, the last four digits, and the card brand for display.

Renewals, cancellations, and refund handling are described in our Refund & Cancellation Policy.

Security

Data is encrypted in transit (TLS 1.2+) and at rest. Access to production systems is restricted, logged, and requires multi-factor authentication. Read more in our Data Processing & Security page.

Sharing with third parties

We share personal data only with the sub-processors required to run Statzy: our cloud database and hosting provider, our email delivery provider, and our payment providers. Each is bound by a data processing agreement and processes data only on our instructions.

We disclose data to authorities only when required by valid legal process and, where lawful, we notify affected users.

Your rights

Depending on where you live, you may have the right to access, correct, export, or delete your personal data, restrict or object to certain processing, and lodge a complaint with your local data protection authority. Email statzyhq@gmail.com to exercise any of these rights.

Data retention

Account and content data is retained while your account is active. Deleting a short link permanently removes its associated analytics events. Deleting your account permanently removes personal data within 30 days, except records we must keep for tax, accounting, or fraud-prevention purposes (typically up to 7 years for invoices).

Aggregated, non-identifying analytics may be retained indefinitely for platform metrics.

Account deletion

You can delete your account at any time from Settings. If you have an active paid subscription, cancel it first so it does not auto-renew. Deletion is permanent and cannot be undone.

Changes to this policy

We may update this policy as the product evolves. Material changes will be announced by email or an in-app notice at least 14 days before they take effect.

Contact

Questions or requests? Email statzyhq@gmail.com.