Skip to main content

GDPR Compliance and Cookie Policy for URL.rw

Last Updated: April 29, 2025

At URL.rw, operated by Resident.Ventures, a U.S.-based company, we are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) for users in the European Union, as well as Rwanda’s Law No. 058/2021 on data protection for applicable users. This GDPR Compliance and Cookie Policy explains how we process personal data, ensure compliance with GDPR, and use cookies and similar technologies on our website (URL.rw and menu.url.rw) and services (link-in-bio pages, QR code generation, URL shortening, and digital menus, collectively the “Services”).

1. GDPR Compliance Overview

URL.rw complies with GDPR when processing personal data of EU residents. We are considered a data controller for personal data collected through the Services (e.g., account information, analytics data). Our compliance measures include lawful processing, transparency, and respect for your data rights.

1.1. Lawful Basis for Processing

We process personal data based on:

  • Consent: For non-essential cookies, marketing emails, or certain analytics (e.g., click tracking).

  • Contract Performance: To provide Services (e.g., creating biolink pages, generating QR codes, managing accounts).

  • Legitimate Interests: For essential cookies, security, fraud prevention, and anonymized analytics, balanced against your rights.

  • Legal Obligations: To comply with GDPR, Rwandan law, or other regulations.

1.2. Personal Data We Collect

We collect:

  • Account Information: Name, email, password (provided during registration).

  • User Content: Links, QR code details, biolink content, digital menu data (e.g., items, prices).

  • Usage Data: IP address, browser type, device information, pages visited.

  • Analytics Data: Click data, geolocation, referral sources for URLs, QR codes, or menus.

  • Cookies/Tracking: Data via cookies or similar technologies (see Section 2).

1.3. Data Subject Rights

If you are an EU resident, you have the following GDPR rights:

  • Access: Request a copy of your personal data.

  • Rectification: Correct inaccurate data.

  • Erasure: Request deletion of your data (“right to be forgotten”).

  • Restriction: Limit data processing in certain cases.

  • Objection: Object to processing based on legitimate interests (e.g., analytics).

  • Data Portability: Receive your data in a structured, machine-readable format.

  • Withdraw Consent: Revoke consent for cookies or marketing at any time.

  • Lodge a Complaint: Contact an EU Data Protection Authority (e.g., your national regulator).

To exercise these rights, contact our Data Protection Officer (DPO) at hi@url.rw. We respond to requests within 30 days.

1.4. Data Transfers

Personal data may be transferred to the U.S. or other non-EU countries (e.g., for hosting or analytics). We ensure GDPR compliance using:

  • Standard Contractual Clauses (SCCs): Legal agreements with service providers to protect EU data.

  • Adequacy Decisions: Where applicable (e.g., for certain third countries).

  • Binding Corporate Rules: For internal data transfers, if applicable.

1.5. Data Security

We implement GDPR-compliant security measures, including:

  • Encryption for data in transit (e.g., SSL/TLS) and at rest.

  • Access controls to limit data exposure.

  • Regular audits of third-party processors (e.g., hosting, analytics providers).

  • Incident response plans for data breaches, with notification to EU authorities within 72 hours if required.

1.6. Data Protection Officer (DPO)

Our DPO oversees GDPR compliance and can be reached at:

1.7. Data Retention

We retain personal data only as long as necessary:

  • Account data: Until you delete your account or after 12 months of inactivity.

  • Analytics data: Up to 24 months, unless anonymized.

  • Cookies: Per cookie duration (see Section 2).

  • Legal obligations: As required by law (e.g., tax records).

1.8. Third-Party Processors

We use GDPR-compliant third-party processors for:

  • Hosting (e.g., cloud providers).

  • Analytics (e.g., Google Analytics, with anonymized IP settings for EU users).

  • Email communications (e.g., support tools). Each processor signs a Data Processing Agreement (DPA) aligned with GDPR.

2. Cookie Usage and Logging

Cookies and similar technologies (e.g., pixels, local storage) help us enhance the Services, analyze usage, and personalize experiences. For EU users, we obtain explicit consent for non-essential cookies via a cookie consent banner.

2.1. Types of Cookies

  • Essential Cookies:

    • Purpose: Enable core functionality (e.g., user login, session management).

    • Example: Authentication cookies for account access.

    • Consent: Not required (necessary for Service operation).

    • Duration: Session-based or up to 1 year.

  • Functional Cookies:

    • Purpose: Enhance user experience (e.g., remember preferences, biolink themes).

    • Example: Storing your chosen language or font settings.

    • Consent: Required for EU users.

    • Duration: Up to 1 year.

  • Analytics Cookies:

    • Purpose: Track usage (e.g., clicks on URLs, QR code scans, menu views) to improve Services.

    • Example: Google Analytics for anonymized traffic data.

    • Consent: Required for EU users.

    • Duration: Up to 24 months.

  • Marketing Cookies:

    • Purpose: Deliver personalized ads or track campaign performance.

    • Example: Tracking referral sources for promotional links.

    • Consent: Required for EU users.

    • Duration: Up to 1 year.

2.2. Cookie Logging

We log cookie-related data to:

  • Ensure functionality (e.g., maintain login sessions).

  • Analyze anonymized usage (e.g., page views, click patterns).

  • Document consent for GDPR compliance (e.g., timestamp of consent).

Logging Details:

  • Consent Records: For EU users, we store consent status (accepted/rejected), timestamp, and cookie preferences in a secure database.

  • Anonymized Data: Analytics cookies log anonymized data (e.g., IP addresses truncated for EU users).

  • Access: Only authorized personnel access consent logs, protected by encryption.

2.3. Cookie Consent for EU Users

  • Consent Banner: EU users see a GDPR-compliant banner on their first visit, requiring opt-in for non-essential cookies (functional, analytics, marketing).

  • Granular Choices: Users can accept/reject specific cookie types.

  • Revocation: Users can withdraw consent via a “Cookie Settings” link in the footer or by contacting hi@url.rw.

  • Geo-Targeting: The banner is displayed only to EU IP addresses.

  • Documentation: Consent is logged with a unique identifier, timestamp, and preferences, retained for 12 months or until consent is withdrawn.

2.4. Managing Cookies

  • Browser Settings: Disable cookies in your browser, but this may limit functionality (e.g., login issues).

  • Cookie Settings: EU users can adjust preferences via the website’s cookie management tool.

  • Opt-Out: Contact hi@url.rw to opt out of non-essential cookies.

2.5. Third-Party Cookies

  • Google Analytics: Used for anonymized traffic analysis (EU users’ IPs are masked).

  • Other providers (e.g., ad networks): Only active with consent for marketing cookies. Third-party cookies comply with GDPR via DPAs.

3. Rwanda Data Protection Compliance

For users subject to Rwanda’s Law No. 058/2021, we:

  • Obtain explicit consent for data processing.

  • Minimize data collection (e.g., only necessary analytics).

  • Register with Rwanda’s National Cyber Security Authority if processing Rwandan data.

  • Ensure transparency via this policy.

4. Your Responsibilities

  • User Content: You are responsible for the legality of links, QR codes, or menus created via the Services. We are not liable for User Content (see Terms and Conditions).

  • Data Accuracy: Ensure account or menu data is accurate to avoid GDPR violations (e.g., incorrect personal data in vCards).

5. Changes to This Policy

We may update this policy and notify you via the website or email. Continued use of the Services constitutes acceptance of updates.

6. Contact Us

For questions, GDPR rights requests, or cookie inquiries:

To lodge a complaint, contact your local EU Data Protection Authority or Rwanda’s National Cyber Security Authority.