AppRouteLegalPrivacy
Legal · Privacy policy

Privacy policy.

Plain-English. Hashed IPs, no resale, no third-party trackers in the redirect flow.

Privacy policy

Last updated May 02, 2026v3.2
01

What we collect

When you open a short link we collect the minimum signal needed to route your click and produce honest analytics for the link's owner: a hashed IP, a hashed User-Agent, the requested URL, and the rule that matched. From the User-Agent and request headers we derive coarse, non-identifying labels — device type and model, operating system and browser (with versions), the country/region and timezone, your browser language, and the referring site.

We also generate two opaque identifiers so the owner can see sessions rather than disconnected clicks: a visitor identifier (a salted hash of the hashed IP + User-Agent, scoped to that one owner) and a session identifier (a random token in the functional `ar_sess` cookie that groups your clicks within 30 minutes). Neither is linked to your name or account. If the link's URL contains an advertising click ID (for example ttclid, fbclid, or gclid), we store that value so the owner can reconcile it with their ad platform. We do not collect names, email addresses, precise location, or any other personal identifier from a redirect.

IPs are hashed at ingestion using a salt that rotates every 24 hours. The raw IP never reaches our analytics store.
02

Why we collect it

We use it strictly to: (a) decide which destination to redirect you to, (b) produce per-link aggregate analytics for the AppRoute customer whose link you clicked, and (c) detect abuse such as automated traffic floods.

03

Who we share it with

We share data with our infrastructure sub-processors (listed on the sub-processors page) under written agreements. We do not sell data, we do not share data with advertisers, and we run no third-party trackers in the redirect flow.

04

Your rights

GDPR and CCPA grant you the right to access, correct, port, and delete personal data we hold about you. Email privacy@getapproute.com and we will respond within 14 days.

  • Right of access — copy of data we hold
  • Right to rectification — correct inaccuracies
  • Right to erasure — delete on request
  • Right to portability — machine-readable export
  • Right to object — to processing on legitimate interest
05

How long we keep it

Raw, hashed click events are retained for 90 days for debugging and abuse review, after which only aggregate counts remain. Aggregates are retained for the lifetime of the link, plus 12 months after deletion.

06

Cookies & sessions

We use a small set of first-party cookies: strictly-necessary ones for authentication and unlocking password-protected links, and a functional `ar_sess` session cookie (an opaque token, no personal data) that groups short-link clicks into a 30-minute session. Optional analytics cookies (Google Analytics) load only after you accept them in the cookie banner; we run no advertising or third-party trackers in the redirect flow. Full details and live controls are on the Cookie Policy.

When you set your cookie choices we store them in your browser. If you're signed in, we additionally keep a timestamped, audited record of each choice on your account so we can demonstrate what you consented to and when.

07

Contact

Privacy questions: privacy@getapproute.com. EU representative: AppRoute GmbH, c/o data-protection@getapproute.com.

Get started free

Try AppRoute. One link, every platform.

Free forever for 25 links and 100k clicks/month.