Security
Security and privacy at CUQ.IN
A short link is a redirect and a counter. This page is what that actually means: what we store, what we don't, what a click logs, and where to reach us when something looks wrong.
What we don't collect.
No cookies on the public site. Open the landing page, the API docs, the contact form, or click a short link: zero Set-Cookie headers, zero document.cookie writes. The only browser storage we touch is localStorage, and only two first-party keys land there. cuq_lang holds your UI language. cuqin-recents-focus holds the recent-links list on your own device. Neither leaves your browser.
No Google Analytics, no Plausible, no Matomo, no Meta pixel, no Hotjar, no Segment. No third-party scripts on any live page. No fingerprinting, no device graph, no cross-site tracking. When you click a short link we do not log your IP against that click, we do not store your user-agent, we do not record the referrer that sent you.
What we do collect, and why.
Four things, each tied to a job.
Your email, when you request an API key. We use it to send you the key and to reach you if something breaks. A short verification code lives briefly during the sign-up step, then it is gone.
Your destination URL, when you shorten a link. Kept exactly as you submitted it.
The IP that created a short link. This is for abuse forensics and rate-limit enforcement, not for the visitors who later click the link. Visitor IPs are never kept.
Contact form messages, delivered by email to our inbox. Your IP is included in that email for abuse handling, then it lives only in the mailbox.
How a short link resolves.
You click a cuq.in link. Your browser asks our server for the code. We look up the code and send back a temporary redirect — your browser reads the Location header and goes to the destination. That is the whole exchange.
We also tell search engines not to index the short link or crawl the destination through it. If the code is unknown, the owner's account is disabled, or the target domain is on our block list, we send you back to the homepage instead — same redirect, no error page that leaks the attempted URL.
The destination sees only the origin, cuq.in. No path, no query string, no personal referrer from us.
Transport security.
Every request to cuq.in goes over HTTPS. Our SSL certificate works with any modern browser, and HTTP requests are redirected to HTTPS automatically.
Bad links, and what we do about them.
We keep a block list of known bad domains. When you try to shorten a link that hits the list, the request is refused at creation. The same list is checked at redirect time, so a domain added after a link was made stops resolving too, and the visitor lands on the CUQ.IN homepage instead of the destination. The list is curated by hand from abuse reports, not pulled from a paid feed.
If you spot a CUQ.IN link being used for phishing, malware, or a scam, mail [email protected] with the short URL and a short note on where you saw it. We review reports as fast as we can, disable the link, and add the destination domain to the block list when the pattern is clear.
GDPR and KVKK, in plain terms.
CUQ.IN is run as a personal project, not a company. That does not change your rights under the EU GDPR or Türkiye's KVKK. Both laws give you the right to see the data held about you, correct it, delete it, take a copy of it, or object to how it is used. To use any of these rights, mail [email protected] from the address tied to your API key and we act on the request within 30 days.
What we actually hold about you is small. An email address, if you asked for an API key. Visit counts on your short URLs, aggregated per link, with no per-click user attribution. The IP that created a short URL, kept for abuse forensics. No cookies on the public site, no third-party analytics, no fingerprinting. Unused links may be removed after 2 years of no activity, on request or during periodic cleanup.
Reporting a security bug.
Found a security issue. Mail [email protected] with a short write-up and, ideally, a proof of concept. We reply within a few days, fix confirmed issues, and ask that you hold public disclosure for 90 days or until a fix ships, whichever comes first. There is no paid bug bounty, this is a personal project, but credit in the fix note is available on request.