Privacy Policy

Last updated: June 4, 2026

1. Introduction

Alpha Wave Systems SA de CV ("we," "our," or "us"), a company registered in Mexico, operates the AWSYS.CO URL shortening service ("Service"). This Privacy Policy explains what data we collect, how we use it, who we share it with, and the choices you have.

We are committed to protecting your privacy in accordance with Mexico's Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) and the European Union's General Data Protection Regulation (GDPR) for users in the European Economic Area.

2. Information We Collect

2.1 Account Information

When you register, we collect:

  • Email address
  • Password (stored only as a bcrypt hash — the raw password is never retained)
  • Account creation date and subscription tier

2.2 API Keys

When you generate an API key or MCP server credential, we store only a bcrypt hash of the key. The raw key is displayed to you exactly once at generation time and is never retrievable thereafter. We never log or store the plaintext value of any API key.

2.3 Links and Configuration

We store the following data you provide when using the Service:

  • Destination URLs you shorten
  • Custom slugs, folder names, and saved view configurations
  • Link settings: passwords (hashed), expiration dates, maximum click caps, geo-blocking rules, scheduling
  • Custom domain hostnames and DNS verification tokens
  • Webhook endpoint URLs and configured event types
  • QR code customization settings

2.4 Click Analytics Data

When someone clicks a shortened link, we collect and store:

  • IP address (anonymized): For IPv4, the last octet is zeroed (e.g., 203.0.113.42 becomes 203.0.113.0). For IPv6, the last 64-bit segment is zeroed. The full IP address is used transiently for geo-IP lookup and is never written to persistent storage.
  • Approximate geographic location (country, region, city) derived from the anonymized IP via IPinfo
  • Device type (desktop, mobile, tablet) and operating system
  • Browser / user agent string
  • Referring website (HTTP Referer header, if present)
  • UTM parameters and ad click IDs (if present in the destination URL)
  • Timestamp of the click

Click analytics are attributed to the link owner's account, not to the individual visitor. We do not attempt to identify or re-identify anonymous visitors from this data.

2.5 Subscription and Billing Data

Payment processing is handled entirely by Stripe. We do not store, transmit, or have access to your card number, bank account, or other payment instrument details. We receive from Stripe only: transaction confirmation, subscription status, plan type, and a Stripe customer ID that we use to manage your subscription.

2.6 Transactional Email Tracking

Transactional emails (account verification, password reset, billing receipts) are sent via Resend. These emails may contain a tracking pixel that records whether the email was opened and whether links in the email were clicked. This data is used solely to confirm delivery and diagnose deliverability issues. You may disable image loading in your email client to prevent pixel tracking.

3. How We Use Your Information

We use the collected information to:

  • Provide the Service: Create, store, and redirect shortened links; serve QR codes; enforce link rules (passwords, expiration, geo-blocking, click caps); process webhooks
  • Deliver analytics: Generate click analytics reports for your shortened links, aggregated and displayed in your dashboard
  • Billing and subscription management: Process payments, manage plan entitlements, send billing receipts and renewal reminders
  • Custom domain verification: Verify DNS ownership and configure edge routing for your custom domain
  • Fraud prevention and abuse detection: Identify and block malicious links, SSRF attempts, link farming, and other prohibited uses
  • Service communications: Send transactional emails (verification, password reset, security alerts)
  • Service improvement: Analyze aggregate usage patterns to improve performance, reliability, and features
  • Legal compliance: Respond to lawful requests from courts and regulators; enforce our Terms of Service

4. Data Retention

Click analytics data is retained according to your subscription tier. When the retention window expires, click records are permanently deleted:

Plan Analytics Retention
Free 30 days
Pro 90 days
Builder 1 year
Enterprise Custom (as agreed)

Other data is retained as follows:

  • Account data: Permanently deleted upon account deletion. Your email address, display name, and subscription details are removed immediately.
  • Shortened URLs and link configurations: When you delete your account, your links are anonymised — your identity is stripped from each link record and the link continues to redirect to its destination URL. This preserves functionality for anyone who may have bookmarked or shared the URL. If you also wish to stop the redirect, delete individual links before closing your account.
  • Payment records: As required by applicable tax laws (typically 5–7 years)
  • Security and abuse logs: Up to 90 days for fraud prevention purposes

5. Third-Party Services

We use the following sub-processors and third-party services that may process your data:

Google Firebase / Google Cloud (Google LLC)

Authentication, Firestore database, Cloud Functions, Firebase Hosting, Cloud Run (custom domain edge proxy)

Location: United States — complies with EU-US Data Privacy Framework and SCCs

Stripe, Inc.

Payment processing and subscription management. Stripe processes card and payment data directly — we receive only transaction confirmations and subscription status.

Location: United States — Stripe Privacy Policy

Resend

Transactional email delivery (account verification, password reset, billing receipts). Resend may set email open/click tracking pixels in outbound emails.

Location: United States — Resend Privacy Policy

IPinfo.io

IP geolocation used transiently for click analytics (country, region, city lookup). The anonymized IP is sent to IPinfo at click time. Results are cached in-memory (10,000 entries, 24-hour TTL) to minimize lookups.

Location: United States — IPinfo Privacy Policy

6. International Data Transfers

Alpha Wave Systems SA de CV is a Mexican company. Our infrastructure is hosted by Google LLC on servers located in the United States. By using our services, you acknowledge that your data will be transferred to and processed in the United States.

We ensure appropriate safeguards are in place:

  • Google LLC participates in the EU-US Data Privacy Framework
  • Standard Contractual Clauses (SCCs) are in place for EU data transfers where required
  • All data transfers comply with Mexico's LFPDPPP requirements

7. Cookies and Client-Side Tracking

7.1 Session Cookie

We use a single session cookie named __session to maintain your authenticated session. This cookie is set by Firebase Authentication and is strictly necessary for the Service to function. It is an HttpOnly, Secure, SameSite=Strict cookie and cannot be read by JavaScript. No advertising or tracking cookies are set by us.

7.2 Maintenance Status Check

Our pages include a script (maintenance-check.js) that makes a single HTTP request to /api/maintenance-status on each page load to determine whether to display a maintenance banner. This request does not set cookies or collect analytics data beyond what is described in this policy.

7.3 No Advertising Cookies

We do not use advertising networks, retargeting pixels, or third-party analytics cookies. We do not sell or share your browsing behavior with any advertising platform.

8. Data Security

We implement technical and organizational measures to protect your data:

  • Encryption in transit: All connections to awsys.co and our APIs use TLS (HTTPS). We enforce HTTPS and reject plain-HTTP connections.
  • Password hashing: Account passwords are hashed with bcrypt before storage. We never store or log plaintext passwords.
  • API key hashing: API keys are hashed with bcrypt before storage. Plaintext keys are displayed once at creation and never retrievable. We never log raw API key values.
  • IP anonymization: Full IP addresses are never written to persistent storage; only the anonymized prefix is retained with analytics records.
  • Access controls: Database access is restricted via Firebase Security Rules and service-account credentials. Admin access requires multi-factor authentication.

No method of transmission over the Internet or electronic storage is 100% secure. While we employ commercially reasonable safeguards, we cannot guarantee absolute security.

9. Your Rights

9.1 Under Mexican Law (LFPDPPP)

You have ARCO rights:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Correct inaccurate or incomplete data
  • Cancellation: Request deletion of your personal data
  • Opposition: Object to certain processing of your data

9.2 Under GDPR (EU/EEA Users)

You additionally have:

  • Data portability: Receive your link data in a structured, machine-readable format (CSV export)
  • Right to erasure: Request that we delete your account and associated data
  • Withdraw consent: Where processing is based on consent, you may withdraw it at any time
  • Lodge a complaint: You have the right to lodge a complaint with your local supervisory authority

9.3 How to Exercise Your Rights

You can exercise most rights directly in your account:

  • Delete account: Settings → Account → Delete Account. Your account profile is deleted immediately; links are anonymised and continue to redirect.
  • Export data: Dashboard → Export → CSV. Downloads your link data and analytics summary.
  • Correct email: Settings → Profile → Update email.
  • Other requests: Contact us at info@awsys.co. We will respond within 30 days.

9.4 Account Deletion by Email

If you cannot access your account (e.g., you no longer have access to the registered email address), you can request deletion by sending an email to info@awsys.co with the subject line Account Deletion Request, including your account email address in the body.

We will verify your identity before proceeding and process the request within 30 days. For full details on what gets deleted and what happens to your links, see our Account Deletion page.

10. Children's Privacy

The Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that a user is under 16, we will promptly delete their account and associated data.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to your registered address or via a prominent in-app notice at least 14 days before they take effect. Non-material changes (corrections, clarifications) may be posted without advance notice. The "Last updated" date at the top of this page always reflects the current version. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

12. Severability

If any provision of this Privacy Policy is found to be invalid, illegal, or unenforceable by a court of competent jurisdiction, such invalidity shall not affect the validity of the remaining provisions, which shall continue in full force and effect. The invalid or unenforceable provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving the original intent.

13. Contact Us

For privacy-related inquiries or to exercise your rights, contact us at:

Alpha Wave Systems SA de CV

Email: info@awsys.co