How we handle your data.

Brilliant Zone operates the URL shortener at yfi.ae from Muscat, Oman. For the purposes of the Omani Personal Data Protection Law (Royal Decree 6/2022, the "PDPL"), Brilliant Zone is the data controller responsible for personal data processed through this service.

Contact us about anything in this policy, or to exercise a right under the PDPL, at privacy@yfi.ae. We respond within 30 days.

The service supports both anonymous link creation and accounts. We process only the personal data necessary to run the service, prevent abuse, and meet the service promises we make to you:

• Account data (if you register): your email address, your password stored as an argon2id hash (the original password is never stored and cannot be recovered by us, only reset), an optional display name and profile image, and — if you sign in with Google — the Google-supplied identifier, name, and profile image for your account.
• Link data you submit: the original (long) URL, the short code, and any optional title, category, or tags you attach when creating the link. Links created from an account are linked to that account; anonymous links are not.
• Creator metadata at link creation: the IP address of the creator and the User-Agent string sent by their browser. Used to rate-limit abusive traffic and to investigate reports of malicious links.
• Click analytics on redirects: for every click on a short link we record a timestamp, the IP address of the visitor, their User-Agent, the referring URL if any, a device classification derived from the User-Agent (mobile, desktop, tablet), and a country code where it can be inferred from Cloudflare's IP-geolocation metadata.
• Login attempts: email address submitted, IP address, User-Agent, outcome (success, wrong password, account not found, rate-limited), and timestamp. Used to enforce progressive delays against password-guessing attacks and to investigate abuse.
• Security events: if a URL submitted for shortening is flagged by our safety checks (pattern matching or a third-party reputation service), we record the attempted URL, the creator's IP, the User-Agent, and the reason for the block.
• Abuse reports: if you submit an abuse report at /report, we record the reported short code, the reason category you selected, any description you provided, your IP address, and — if you chose to include one — your email address. Reports are reviewed by our administrators and used to decide whether to disable the reported link.
• Administrative audit records: when an administrator acts on the service — banning a user, deleting links, actioning an abuse report, resetting a password — we record the action, the administrator's internal ID, the target of the action, the timestamp, and any reason text the administrator entered. These records also capture system actions that affect your account on your behalf (e.g. your own account deletion, your data export).

We do not set advertising cookies, do not use third-party analytics, and do not attempt to identify individual visitors beyond the signals above.

When you sign in with an email and password, we issue a signed JSON Web Token (JWT) as an HttpOnly, Secure, SameSite=Lax cookie, valid for 30 days and automatically refreshed on use. The token carries your user ID and a version counter; we verify this counter against your account on every request, so when you change your password, the account is disabled by an administrator, or you initiate account deletion, the counter is incremented and all outstanding sessions become invalid on their next request — there is no stale-session window.

Three short-lived tokens support specific flows:

• Password reset tokens: when you request a reset, we generate a random token, store only its SHA-256 hash in our database, and email you the raw token. Reset tokens are valid for 1 hour and can be used once; when consumed they are marked used, and any other outstanding reset tokens for your account are deleted in the same transaction.
• Email verification tokens: created when you register or request a re-send, valid for 24 hours, consumed and deleted on use.
• Google OAuth tokens: if you sign in with Google, we store the access and refresh tokens issued by Google so we can continue to identify you. These are removed if you disconnect the Google connection or delete your account.

We process the data under two legal bases recognised by the PDPL:

• Performance of the service: authenticating you, resolving short links to their destinations, presenting click statistics, operating account features, handling self-service data export and account deletion.
• Legitimate interests in security and safety: detecting phishing and malware URLs, rate-limiting abusive traffic, enforcing login-attempt controls, investigating reports of misuse submitted via the public abuse-report form, and maintaining an administrative audit trail of our own moderation actions.

Brilliant Zone is hosted on infrastructure operated by Hetzner Online GmbH, a German company, in data centres located within the European Union. Your personal data therefore leaves Oman and is processed in the EU, where it is subject to the EU General Data Protection Regulation in addition to our obligations under the PDPL.

Cross-border transfer is carried out under the PDPL's provision for transfers to jurisdictions offering an adequate level of protection. In addition to our primary hosting, we rely on the following third-party subprocessors, each engaged only for the purpose named:

• Cloudflare (Cloudflare, Inc.): provides the Content Delivery Network, DNS, DDoS protection, and the Turnstile CAPTCHA challenge shown on anonymous link creation and abuse reporting. Cloudflare sees every request on its way to our servers, including visitor IP addresses and HTTP headers, and provides us with a country-code estimate for click analytics. Cloudflare does not receive account credentials or link content.
• Resend (Resend, Inc.): sends transactional email on our behalf — specifically verification and password-reset messages. Resend receives only the recipient email address and the message body; it does not receive other account data.
• Google (Google LLC): identity provider for "Sign in with Google". Google receives the identifier of our OAuth client when you authenticate; we receive your email, name, profile image, and Google account identifier.
• VirusTotal (operated by Chronicle Security Ireland Ltd.): URL reputation check. VirusTotal receives the submitted URL; it does not receive visitor data or account information.

We do not sell or rent personal data to any third party.

Concrete retention windows by record type:

• Account records (email, password hash, linked Google identity, display name): retained while your account is active. When you initiate deletion at /account/delete, your account is marked deleted immediately — your session is invalidated, you cannot sign in, and all short links you created stop redirecting. After 30 days, your account is automatically hard-deleted by a nightly sweeper, cascading to your links, your click history, your OAuth connections, your outstanding password-reset tokens, and your active sessions. During the 30-day window the deletion is reversible — email privacy@yfi.ae to request recovery.
• Short links created from accounts: kept until you delete them from your dashboard, or until your account is hard-deleted (at which point they cascade away). Anonymous links are kept until a deletion request is processed manually.
• Click analytics: kept for as long as the parent link exists. When a link is deleted — by you, by an administrator actioning an abuse report, or by the account-deletion cascade — all click records for that link are removed in the same transaction.
• Password-reset tokens: deleted immediately on use; sibling tokens for the same account are deleted in the same transaction. Unused tokens naturally expire after 1 hour. Verification tokens are deleted on use and naturally expire after 24 hours.
• Login-attempt records: retained for 30 days. Older records are automatically deleted once per day by a scheduled sweeper at 03:00 UTC.
• Administrative audit records: retained for 90 days. Older records are automatically deleted once per day by a scheduled sweeper at 05:00 UTC.
• Abuse reports: retained indefinitely for audit purposes and to maintain a consistent decision history on reported links.
• Security events (blocked URL-creation attempts, IP blocks): retained indefinitely for audit purposes and to investigate repeat abuse.

Under the PDPL you have the right to:

• Access your data. Signed-in users can download a ZIP containing a copy of their account, links, click history, and login-attempt records (both JSON and CSV formats) from /settings. The export is limited to once per hour per account for performance reasons. For a parallel paper-based request, email privacy@yfi.ae.
• Correct inaccurate data. Update your display name, email, and password from /settings. For corrections to records you cannot edit directly (for example a click record containing the wrong country code), email privacy@yfi.ae.
• Delete your data. Signed-in users can initiate account deletion at /account/delete. The account is soft-deleted immediately and hard-deleted after 30 days; see the retention section above for the scope of the cascade. For anonymous links (created without an account), email privacy@yfi.ae with the short code or the original URL so we can locate the record.
• Withdraw consent. For processing based on your consent (principally the account relationship itself), withdrawal is equivalent to account deletion and follows the same flow.
• Object to processing carried out on the basis of our legitimate interests in security, where your particular situation gives you grounds to do so. Email privacy@yfi.ae with the context.
• Lodge a complaint with the Ministry of Transport, Communications and Information Technology, which supervises PDPL compliance in Oman, if you believe we have not handled your request appropriately.

We respond to PDPL rights requests within 30 days.

If a short link on yfi.ae leads somewhere malicious, deceptive, or otherwise violates our policies, you can report it at /report. The form is available to everyone — no account required.

We record the reported short code, your selected reason category, any description you write, your IP address, and — if you choose to include one — an email address. The email field is optional and is used only to reach you if we need clarification. Reports are protected against automated abuse by a Cloudflare Turnstile challenge and are rate-limited to five submissions per IP address per 24 hours.

Our team reviews reports within 48 hours. If the link violates our policies, we disable it — visitors are redirected to a neutral "link no longer active" page. The decision to action, review, or dismiss a report is recorded in our administrative audit log.

We set these cookies under our own control:

• A session cookie for signed-in accounts, carrying the JWT described in the Accounts section above. It is HttpOnly, Secure, and SameSite=Lax, and is only set for visitors who choose to sign in.
• A theme preference cookie stored locally in your browser, recording whether you chose the light or dark appearance.
• An Auth.js CSRF cookie used during sign-in and sign-out form submissions. Session-scoped.

The admin panel sets a separate session cookie for its own authentication; that cookie is only issued to the administrator and is not set for regular visitors.

Cloudflare Turnstile, which runs as a CAPTCHA challenge on anonymous link creation and abuse reporting, may set its own short-lived cookies as part of the challenge — see Cloudflare's documentation for detail. We do not use third-party analytics, advertising, or tracking cookies.

We will update this page when our data practices change — when we add a new subprocessor, change a retention period, or launch a feature that collects different data. The date at the top of the page reflects the most recent update. Material changes will be summarised in a note at the top for a reasonable period after the change takes effect.