How do I shorten a URL?

Paste your long URL into the input field on the hrva.cc homepage and click 'Shorten'. You can optionally set a custom alias, visit limit, or expiration date before shortening.

Is hrva.cc free to use?

Yes, hrva.cc is completely free to use. You can shorten URLs, set visit limits and expiration dates, and track analytics without any cost.

Can I track how many people clicked my link?

Yes, creating an account lets you see click analytics for every link you shorten, including total visits, visit history, and per-link performance.

How do expiration dates and visit limits work?

When shortening a URL, you can set a visit limit (the link stops working after N visits) or an expiration date (the link expires at a specific time). Both features give you full control over your links.

What is a URL shortener used for?

A URL shortener converts long web addresses into short, shareable links. They are commonly used on social media, in emails, and in marketing campaigns to make links cleaner, trackable, and easier to manage.

Privacy

Privacy Policy

Last updated: June 10, 2026

In short: we collect only what the service needs to work. No ads, no tracking cookies, no third-party analytics. Visitor IP addresses are hashed immediately and deleted within 48 hours.

Who we are

hrva.cc is a non-commercial hobby project of HrvaLabs.net, operated by Karlo Hrvačić, who is the data controller within the meaning of Art. 4(7) of the General Data Protection Regulation (GDPR). The service is provided free of charge and as is — see the Terms of Use. For anything related to your personal data, contact privacy@hrvalabs.net.

What we collect and why

Account data

When you register, we process your email address, an optional display name, and your password, which is stored only as a salted one-way hash. If you sign in with Google, we receive your name and email address from your Google account instead of a password. If you enable two-factor authentication, we store the shared secret and recovery codes needed to verify your codes. We also record when your account was created and when you last logged in.

Legal basis: performance of a contract (Art. 6(1)(b) GDPR) — this data is required to provide your account.

Link statistics (visitors who open short links)

When someone opens a short link, we count the visit and check whether it is a unique visitor. To do this, the visitor's IP address is hashed with a salted one-way function the moment it is received — the plain IP address is never written to our database. Each hashed record is used for unique-visitor detection for 2 hours and is permanently deleted within 48 hours. Link owners only ever see aggregate numbers (visit counts and daily unique visitors), never anything about an individual visitor.

Legal basis: legitimate interest (Art. 6(1)(f) GDPR) — providing link owners with basic, privacy-preserving usage statistics and protecting the service from abuse.

Storage in your browser

After you log in, we keep a single authentication token in your browser's localStorage so you stay signed in. It is strictly necessary to provide the service you requested, which is why no consent banner is required for it (Art. 5(3) of the ePrivacy Directive, implemented in Croatia by the Electronic Communications Act). We set no tracking cookies and use no analytics or advertising scripts. Fonts are self-hosted — your browser does not contact third-party font services.

Emails we send

We send transactional emails only: address verification, password reset, and notifications about your expiring links. We keep a log of emails sent to operate and troubleshoot delivery. We do not send marketing email.

Security and audit logs

We keep internal audit logs of security-relevant events (such as logins and administrative actions) to protect the service and its users. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).

Who else receives data

Google Sign-In — only if you choose to log in with Google; Google acts as your identity provider under its own privacy policy.
Google Safe Browsing— destination URLs you shorten are checked against Google's threat database to protect visitors from malicious sites. Only the URL is sent, never information about you or your visitors.
Cloudflare — delivers the web application (hosting/CDN). Your IP address reaches Cloudflare as part of normal traffic delivery.
Email delivery — transactional emails are sent via [email provider].
Backend hosting — the API and database are hosted by [hosting provider] in [location].

We do not sell personal data and we do not share it with anyone beyond the processors listed above.

How long we keep data

Hashed visitor IPs — deleted within 48 hours of the visit.
Account data — kept until you delete your account; unused accounts are deactivated automatically after a period of inactivity.
Password reset tokens — deleted as soon as they expire.
Your links and their statistics — kept while your account exists; deleting a link also deletes its visit records.
Email and audit logs — kept for [retention period].

Your rights

Under the GDPR you can request access to, correction of, or deletion of your personal data, ask us to restrict or object to processing, and receive your data in a portable format (Arts. 15–21 GDPR). Write to privacy@hrvalabs.net and we will respond within one month. You also have the right to lodge a complaint with the Croatian Personal Data Protection Agency (AZOP) or your local supervisory authority.

Changes to this policy

If we change how we process personal data, we will update this page and the date at the top. Substantial changes affecting registered users will also be announced by email or in the app.

Contact

Questions about privacy at hrva.cc: privacy@hrvalabs.net.