Privacy Policy

Last updated: April 24, 2026

1. Introduction

lyng.my.id (“lyng”, “we”, “our”, or “us”) is a link shortening service operated independently. We are committed to handling your personal data with transparency, care, and respect.

This Privacy Policy describes what information we collect when you use lyng.my.id, why we collect it, how it is stored and protected, who it may be shared with, and what rights you have over it. By using the Service, you acknowledge that you have read, understood, and agreed to this Privacy Policy in full. If you do not agree, you must stop using the Service immediately.

This Privacy Policy is incorporated into and must be read together with our Terms of Service. Terms not defined here have the meaning given to them in the Terms of Service.

2. Governing language

This Privacy Policy is drafted in English, which is the sole legally binding and authoritative version. Any translation provided through the Service or by any other means is for convenience only. In the event of any conflict, ambiguity, or inconsistency between the English version and any translated version, the English version shall prevail in all respects. You waive any right to rely on a translated version as a legal instrument.

3. Information we collect

We collect only the minimum information necessary to operate the Service effectively and securely.

3.1 Information you provide directly

Email address. Required when you create an account. Used solely for authentication, account recovery, and essential service communications. We do not send unsolicited marketing emails.
URLs you submit. The long URLs you shorten are stored so we can redirect visitors to the original destination. We do not routinely read or screen the content of destination pages beyond automated abuse detection.
Custom slugs. If you select a custom short code (a Premium feature), that slug is stored alongside your link record.
API keys. If you use the Developer dashboard to create projects and generate API keys, we store the key metadata (project name, key prefix, creation date, last used date) associated with your account. Full API key values are shown only once at creation and are not stored by us in recoverable form thereafter.
Support communications. If you contact us by email, we retain the content of that correspondence to respond to and resolve your inquiry.

3.2 Information collected through the API

When you make requests to the lyng REST API using an API key, we log the timestamp and the action performed (e.g. link created, links listed) for rate limiting and abuse detection purposes. We do not log the IP address of the API caller beyond what is retained in standard server infrastructure logs, which are retained for no more than 30 days.

3.3 Information collected automatically

Click events. Each time a shortened link is visited, we record a timestamp and the slug that was clicked. We do not record the visitor's IP address, browser user-agent, device type, or referring URL.
Anonymous session cookie. For guest users (no account), we set a cookie named lyng_anon containing a randomly generated UUID. This is used exclusively to enforce the one-link-per-month guest limit. It contains no personal information and expires automatically at the end of each calendar month.
Authentication session cookies. When you sign in, Supabase Auth sets session cookies prefixed with sb- to maintain your authenticated session. These are strictly necessary for the Service to function and are cleared when you sign out.
Terms acceptance. We store a flag in your browser's localStorage under the key lyng_tos_v1 to record that you have accepted our Terms of Service. This is stored locally on your device only and is not transmitted to our servers.

3.4 Information we do not collect

We do not collect IP addresses of link visitors, browser fingerprints, device identifiers, operating system details, geographic location data, referrer URLs from link visitors, or any behavioral or interest-based tracking data. We do not use third-party advertising networks, analytics SDKs, or tracking pixels on the Service.

4. Legal basis for processing

Where applicable law requires us to identify a legal basis for processing your personal data, we rely on the following:

Performance of a contract. Processing your email address and submitted URLs is necessary to provide the Service you have requested.
Legitimate interests. We process click event data and abuse-detection signals on the basis of our legitimate interest in operating a secure and functional service. We have assessed that these interests are not overridden by your privacy rights.
Legal obligation. We may process and retain data where required by applicable Indonesian law or valid legal process.
Consent. Where we rely on consent (such as for reCAPTCHA), you may withdraw it at any time, though this may affect your ability to use the Service.

5. How we use your information

We use the information we collect strictly for the following purposes:

To resolve short URLs and redirect visitors to the original destination.
To provide you with click analytics on your own links within your dashboard.
To authenticate your identity when you sign in or recover your account.
To enforce the usage limits applicable to your account tier (guest, free, or Premium).
To detect, investigate, and prevent abuse, spam, malware distribution, and violations of our Terms of Service.
To respond to your support requests, legal notices, or other communications directed to us.
To comply with applicable legal obligations.

We do not use your data to build advertising profiles, retarget you across the web, train machine learning models on your personal information, or derive inferences about your identity, interests, or behavior beyond what is necessary to operate the Service.

6. Sharing and disclosure

We do not sell, rent, trade, or broker your personal data to any third party for any commercial purpose. We may share data only in the following limited and specific circumstances:

Infrastructure providers. We use Supabase to host our database and manage authentication. Supabase processes data on our behalf as a data processor under its own privacy and security commitments. No other sub-processors have access to your personal data.
Google reCAPTCHA. The link shortening form uses Google reCAPTCHA v3. Submission data is processed by Google subject to their own privacy policy. See Section 8 for details.
Legal obligations. We may disclose your information if required to do so by applicable law, regulation, court order, or other valid legal process issued under Indonesian or other applicable law.
Protection of rights and safety. We may disclose information to investigate, prevent, or take action against illegal activity, fraud, abuse of the Service, or credible threats to the safety of any person.
Business transfers. If lyng.my.id is acquired, merged, or its assets are transferred, your data may be transferred to the successor entity, subject to the same privacy protections as described in this policy.
With your consent. We may share your data for any other purpose with your explicit prior consent.

7. International data transfers

lyng.my.id is operated from Indonesia. Your data is stored on Supabase-managed infrastructure. Supabase may host data in data centers located outside Indonesia, including within the European Union or the United States. By using the Service, you consent to the transfer of your information to these jurisdictions, which may have different data protection laws than your country of residence.

We take reasonable steps to ensure that any international transfers are subject to appropriate safeguards consistent with this Privacy Policy and applicable law. We are not responsible for the privacy practices of jurisdictions to which data is transferred beyond our control.

8. Google reCAPTCHA

The link shortening form is protected by Google reCAPTCHA v3 to prevent automated abuse. reCAPTCHA operates silently in the background and may collect hardware and software information, including device and application data, to assess whether a form submission originates from a human or an automated bot. This information is transmitted to and processed by Google.

Your use of the Service is therefore also subject to Google's Privacy Policy and Terms of Service. We have no visibility into or control over the data Google collects through this mechanism, and we are not responsible for Google's data practices.

9. Data storage and security

All personal data is stored in Supabase-managed PostgreSQL databases. Access to your data at the application level is enforced by row-level security (RLS) policies, ensuring that only authenticated requests associated with your account can read or modify your links and analytics.

Data at rest is encrypted by the underlying cloud infrastructure. All connections to the Service are encrypted in transit using TLS 1.2 or higher. Passwords are never stored in plain text; authentication is managed by Supabase Auth, which uses industry-standard secure hashing.

While we implement reasonable and appropriate technical and organizational security measures, no system is completely immune to unauthorized access, breaches, or data loss. We cannot guarantee the absolute security of your data and are not liable for breaches that occur despite such measures. You are responsible for maintaining the security of your account credentials.

10. Security incidents

In the event of a data breach that is likely to result in a high risk to your rights and freedoms, we will make reasonable efforts to notify affected users without undue delay, where we are able to identify and contact them. Notification will include the nature of the breach, the categories of data affected, and the steps we are taking in response.

We will also notify relevant regulatory authorities as required by applicable law. However, we are not liable for any damages, losses, or consequences arising from a security incident that occurs despite our reasonable security measures, or from incidents caused by factors outside our control, including but not limited to third-party infrastructure failures or cyberattacks.

11. Data retention

We retain personal data for as long as your account is active or as otherwise necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements.

Links and associated click records are retained until you delete them from your dashboard, at which point they are permanently and immediately removed.
Upon account deletion, your email address and all associated links and click data are permanently deleted within 30 days of the request.
The lyng_anon cookie expires at the end of each calendar month. Links created under that session remain in the database but are no longer associated with any identifiable session after expiry.
API key metadata is retained for as long as the associated project exists. Deleting a project permanently removes all associated key records. API request logs are retained for a maximum of 30 days.
Support correspondence may be retained for up to 12 months after the matter is resolved.
Data we are required to retain for legal or regulatory compliance purposes will be held for the minimum period required by law, after which it will be securely deleted.

12. Cookies

We use the following cookies and local storage items. We do not use advertising cookies, third-party tracking cookies, or cross-site analytics cookies of any kind.

lyng_anon (first-party, functional): a random UUID set for guest users to enforce the monthly link limit. Expires at the end of each calendar month. Contains no personal data.
sb-* (first-party, functional): session cookies set by Supabase Auth to maintain your authenticated login session. Required for account features to work. Cleared on sign-out.
lyng_tos_v1 (localStorage, functional): a flag stored locally in your browser to record Terms of Service acceptance. Not transmitted to our servers.

13. Automated decision-making

We do not make any decisions about you that are based solely on automated processing and that produce legal or similarly significant effects. Our abuse detection systems may flag links for review, but no account action is taken without human consideration. You may contact us at hellolyng@gmail.com to contest any action taken against your account.

14. Children's privacy

The Service is not directed to children under the age of 13 and we do not knowingly collect personal data from children. If you are a parent or guardian and believe that a child has provided us with personal information without your consent, please contact us immediately at hellolyng@gmail.com and we will take prompt steps to delete that information.

15. Third-party links and services

The Service enables access to third-party websites through shortened links. We are not responsible for the privacy practices, data collection, or content of any third-party website or service accessed through a lyng.my.id link. We strongly encourage you to review the privacy policies of any third-party sites you visit. The existence of a lyng.my.id link does not constitute an endorsement of the destination's privacy practices.

16. Your rights

Subject to applicable law and verification of your identity, you have the following rights regarding your personal data:

Access. You may request a copy of the personal data we hold about you.
Correction. You may ask us to correct inaccurate or incomplete data associated with your account.
Deletion. You may delete individual links directly from your dashboard at any time, or request full account and data deletion by contacting us.
Portability. You may request a structured, machine-readable export of the personal data you have provided to us.
Restriction. You may request that we restrict processing of your data in certain circumstances, such as while a correction request is pending.
Objection. You may object to processing of your personal data where we rely on legitimate interests as the legal basis. We will cease processing unless we can demonstrate compelling legitimate grounds.
Withdrawal of consent. Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, email us at hellolyng@gmail.com. We will respond within 30 days. We may require you to verify your identity before fulfilling a request. We reserve the right to decline requests that are manifestly unfounded, excessive, or repetitive.

17. Complaints

If you believe we have handled your personal data unlawfully or in breach of this Privacy Policy, you have the right to lodge a complaint with the relevant data protection authority in your country of residence. In Indonesia, the relevant authority is the Ministry of Communication and Information Technology (Kominfo). We would, however, appreciate the opportunity to address your concern directly first. Please contact us at hellolyng@gmail.com before escalating to a regulatory body.

18. Limitation of liability

To the maximum extent permitted by applicable law, lyng.my.id shall not be liable for any damages, losses, or claims arising from unauthorized access to your data, data breaches, data loss, or any failure of our security measures, except where such failure results directly from our gross negligence or wilful misconduct. Our total liability for any privacy-related claim shall not exceed the amounts set out in our Terms of Service.

19. Changes to this policy

We may update this Privacy Policy at any time to reflect changes in the Service, our data practices, or applicable law. Changes take effect immediately upon posting to this page. The “Last updated” date at the top reflects the most recent revision. Your continued use of the Service after any changes constitutes your binding acceptance of the updated policy. It is your responsibility to review this page periodically. We are not obligated to provide individual notice of changes beyond updating this page.

20. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal data, please contact us at:

hellolyng@gmail.com

We aim to respond to all privacy-related inquiries within 5 business days.

Home Terms