How we handle your data.

We try to keep this simple. We collect what we need to run the service, nothing else, and we never sell or share it for advertising.

Last updated · 8 May 2026

1Who we are

BigLove is a SaaS operated as a sole proprietorship (autónomo) registered in Spain. We are the data controller for the personal data we collect through biglove.to.

Trade nameBigLove

Legal formSole proprietorship (autónomo) registered in Spain

Privacy contact[email protected]

Operator identificationFor the legal identification of the operator (full name, tax ID, registered address), please send a written request to our contact form with a specific legal motivation (regulatory inquiry, court order, demonstrated legitimate interest).

2What we collect, and why

We collect only what's needed to keep your branded short links running, your account secure, and your billing accurate. Concretely:

Account information

Email addressRequired to create an account, send your magic-link login, and recover access. We hash a derivative for use as your internal user id; the original email is stored encrypted at rest.

Magic-link tokensSingle-use, expire in under an hour, and are deleted on use.

Session idStored as an HMAC-signed httpOnly cookie. Used solely to keep you signed in for 30 days.

Business information

Business namePulled from Google Places when you create your link, so your dashboard shows the right name.

Google Place IDUsed to build the canonical Google review URL your short link redirects to.

Country, city, websitePulled from Google Places. Used for dashboard context and (only with your permission) to auto-derive a Trustpilot URL on the same form.

Click analytics — Pro plan only

If your business is on the Pro plan, when someone visits one of your short links we record:

Country, region, and city — provided by Cloudflare based on the visitor's IP. We never see or store the IP itself.
A daily-rotating, salted hash of the IP — used for our own rate limiting. The hash cannot be reversed back to an IP and rotates every 24 hours.
Browser family (e.g. Chrome, Safari) and OS family (e.g. iOS, Windows) parsed from the User-Agent header. We do not store version numbers or full UA strings.
The HTTP Referer header, truncated to 256 characters, when the browser sends one.
The timestamp of the click.

If your business is on the Free, Basic, or Grandfathered plan, we do not record any of the above. Your dashboard shows synthesized sample data so you can see what Pro analytics would look like.

Billing

Payments are processed by Stripe. We never see your card details. We store the Stripe customer id and subscription id so we know which plan you're on. The list of invoices and receipts lives in your Stripe customer portal, accessible from your account.

Cookies

We use a single cookie, biglove_session, to keep you signed in. It's HMAC-signed, httpOnly, Secure, SameSite=Lax, and expires after 30 days. We do not use any analytics cookies, advertising cookies, or third-party tracking pixels.

The pages where Stripe processes a payment (Checkout and the customer portal) load Stripe's own JavaScript, which may set cookies for fraud detection. Those cookies are governed by Stripe's Privacy Policy.

3Legal basis under GDPR

We rely on the following legal bases (Article 6 of the GDPR), depending on the data:

Performance of a contract (Art. 6(1)(b)) — for account, business, billing, and link data needed to deliver the service you signed up for.
Legitimate interests (Art. 6(1)(f)) — for click analytics on the Pro plan, security logging, fraud prevention, and our own rate limiting. We've assessed that our interest in operating a working service is balanced against your reasonable expectations.
Legal obligation (Art. 6(1)(c)) — for keeping invoices and tax records for the period required by Spanish tax law.
Consent (Art. 6(1)(a)) — only where we explicitly ask for it, e.g. opt-in marketing emails (we don't send any today).

4How long we keep it

Account and business data — for as long as your account exists, plus a short backup retention window after deletion.
Magic-link login tokens — under an hour, deleted on use.
Session cookies — 30 days, or until you sign out.
Click analytics — up to 90 days, after which the rows are purged.
Billing records — 6 years, as required by Spanish tax law (Art. 30 Ley General Tributaria).
Webhook logs from Stripe — kept for idempotency and debugging, no personal data beyond the customer id.

5Who else processes your data

We rely on a small set of trusted subprocessors. Each is bound by a Data Processing Agreement and only handles what's necessary for their part of the service.

CloudflareHosting, edge runtime, database (D1), key-value store (KV), and DNS. Data may be processed at any of Cloudflare's global edge locations. Privacy.

StripePayment processing, customer portal, billing. Privacy.

ResendTransactional email (verification, magic-link login, billing notifications). Privacy.

Google Places APIWe send the business name you type into /create to look up the canonical place. We do not send personal data to Google. Privacy.

6International transfers

Some of our subprocessors are based outside the European Economic Area (Cloudflare and Stripe operate globally; Resend is US-based). Where data is transferred outside the EEA, the transfer is covered by the European Commission's Standard Contractual Clauses or an equivalent safeguard, in line with Article 46 GDPR.

7Your rights

Under the GDPR, you have the right to:

Access (Art. 15) — request a copy of the personal data we hold about you.
Rectification (Art. 16) — ask us to correct inaccurate data. You can update most fields directly from your account.
Erasure (Art. 17) — delete your account and the associated data. Note that some records (invoices) are kept for the legally required period.
Restriction (Art. 18) and objection (Art. 21) — limit or object to specific processing activities, particularly those based on legitimate interests.
Portability (Art. 20) — receive your data in a machine-readable format and transmit it to another service.
Withdraw consent at any time, where processing is based on consent.
Lodge a complaint with the Spanish data protection authority (AEPD) or your local supervisory authority.

To exercise any of these rights, email [email protected]. We aim to respond within 30 days.

8Children

BigLove is a B2B tool intended for business owners and their teams. We don't knowingly collect personal data from anyone under 16. If you believe we've inadvertently done so, please email us and we'll delete it.

9Updates to this policy

If we make material changes (new subprocessor, new category of data, etc.) we'll update the "Last updated" date at the top and, when the change affects existing users, send a heads-up by email.

10Contact

For privacy questions, data subject requests, or to flag a concern: [email protected].

For everything else: our contact form.

Plain-English summary. We collect your email so you can sign in, your business name and Google Place id so the dashboard knows what to show you, and (only on Pro plans) anonymized click metadata so you can see how your link is performing. We never sell your data, never use third-party tracking, and you can delete your account at any time.