Privacy Policy

Last updated: March 2026

99redirect values the privacy of its users. This Privacy Policy explains what data we collect, how we use it, and what your rights are. This policy is designed to comply with the EU General Data Protection Regulation (GDPR), Brazil's Lei Geral de Proteção de Dados (LGPD), and general privacy best practices.

1. Data We Collect

We collect the following types of data:

Account data

  • Name β€” provided during registration.
  • Email address β€” used for authentication, communication, and account recovery.
  • Domain information β€” domains you add and the redirect rules you configure.

Analytics data

  • Click counts β€” number of times each redirect rule is triggered.
  • Country of origin β€” derived from the visitor's IP address (the IP itself is not stored).
  • Device type and browser β€” derived from the User-Agent header.
  • Referrer URL β€” the page the visitor came from.

Payment data

  • Credit card details and billing information are processed directly by Stripe. 99redirect does not store credit card numbers on its servers.

2. What We Do NOT Collect

The privacy of your domain visitors is important to us:

  • IP addresses are not stored. For unique visitor analytics, we use a hash of the IP combined with a daily salt. The hash is irreversible and the salt is discarded daily, making it impossible to identify the visitor.
  • No tracking cookies. We do not use tracking pixels, browser fingerprinting, or any cross-site tracking technology.
  • We do not sell data. Your data is never sold, rented, or shared with third parties for advertising purposes.

3. How We Use Your Data

We use your data to:

  • Provide the service β€” process redirects, issue SSL certificates, and forward emails.
  • Analytics β€” display click statistics, countries, and devices in your dashboard.
  • Billing β€” process payments and manage subscriptions via Stripe.
  • Communication β€” send verification emails, password recovery, service notifications, and important updates.
  • Security β€” detect and prevent fraudulent or abusive activity.

4. Third-Party Services

We use the following third-party services:

  • Stripe β€” payment processing. Stripe has its own privacy policy and is PCI DSS Level 1 certified.
  • Let's Encrypt β€” SSL certificate issuance for configured domains. Only the domain name is shared for certificate issuance.

We do not share your personal data with any other third-party services, except when required by law.

5. Data Retention

  • Analytics data β€” retained according to your plan (7 days on Free, 90 days on Pro, 365 days on Business). After the retention period, data is automatically deleted.
  • Account data β€” maintained while your account is active. When you delete your account, all data is removed within 30 days.
  • Billing data β€” retained as required by legal and tax obligations (typically 5 years).

6. Your Rights

Under the GDPR and LGPD, you have the following rights:

  • Access β€” request a copy of all data we hold about you.
  • Export β€” export your data in a machine-readable format (JSON/CSV).
  • Rectification β€” correct inaccurate or incomplete data.
  • Deletion β€” request complete deletion of your data and account.
  • Portability β€” receive your data in a structured format for transfer to another service.
  • Objection β€” object to the processing of your data in certain circumstances.

You can exercise your rights to access, export, and deletion directly from your account settings. For other requests, please contact us through our contact page.

7. Cookies

99redirect only uses essential cookies required for the service to function:

  • Authentication token β€” keeps your session active after login. Secure, httpOnly cookie.
  • Language preference β€” stores your chosen interface language. First-party cookie, contains no personal data.

We do not use analytics, advertising, or third-party tracking cookies.

8. Security

We implement technical and organizational measures to protect your data:

  • All communications are encrypted with TLS (HTTPS).
  • Passwords are stored with bcrypt hash and unique per-user salt.
  • API keys are shown only once and stored as hashes.
  • Administrative access is restricted and protected by multi-factor authentication.
  • Backups are encrypted at rest.

9. International Data Transfers

Our servers may be located in different regions to ensure low latency. In all cases, we apply the same protection measures described in this policy and comply with applicable legal requirements for international data transfers.

10. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes by email or through a notice on the service. We recommend that you review this policy regularly.

Contact

For privacy-related questions or to exercise your rights, please reach out through our contact page.