GDPR Compliance / GDPR Усогласеност
Last updated 26.04.2026
0.mk is committed to compliance with the General Data Protection Regulation (GDPR) for users in the European Economic Area (EEA), the United Kingdom, and Switzerland. This page details how we meet our obligations under the regulation.
1. Data controller
The data controller for 0.mk is the team behind 0.mk. For data protection inquiries, contact us here.
2. Legal bases for processing
We process personal data under the following legal bases:
| Processing activity | Legal basis |
|---|---|
| Account creation and authentication | Performance of contract — Art. 6(1)(b) |
| URL shortening and link management | Performance of contract — Art. 6(1)(b) |
| Click analytics (aggregated) | Legitimate interest — Art. 6(1)(f) |
| Abuse prevention and security | Legitimate interest — Art. 6(1)(f) |
| Transactional emails (magic link, invites) | Performance of contract — Art. 6(1)(b) |
| Marketing communications | Consent — Art. 6(1)(a) |
3. Your rights under GDPR
As a data subject in the EEA/UK/Switzerland, you have the following rights:
| Right | Description | Article |
|---|---|---|
| Access | Request a copy of the personal data we hold about you | Art. 15 |
| Rectification | Correct inaccurate or incomplete personal data | Art. 16 |
| Erasure | Request deletion of your personal data (“right to be forgotten”) | Art. 17 |
| Restrict processing | Request that we limit how we use your data | Art. 18 |
| Data portability | Receive your data in a structured, machine-readable format | Art. 20 |
| Object | Object to processing based on legitimate interest | Art. 21 |
| Withdraw consent | Withdraw consent at any time where processing is based on consent | Art. 7(3) |
| Lodge complaint | File a complaint with your local data protection authority | Art. 77 |
4. Sub-processors
We use the following sub-processors to deliver our service. All operate under data processing agreements compliant with GDPR:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare | Edge redirects, DNS, DDoS protection | Global |
| Vercel | Application hosting | United States |
| DigitalOcean | Database hosting | United States |
| Resend | Transactional email delivery | United States |
5. International data transfers
As our infrastructure is primarily based in the United States, personal data from EEA/UK/Switzerland users may be transferred internationally. We safeguard these transfers through:
- Standard Contractual Clauses (SCCs): in place with all sub-processors
- EU-US Data Privacy Framework (DPF): where applicable, our sub-processors participate in the DPF
- Data minimization: we transfer only the minimum data necessary to provide the service
6. Data protection by design
We implement privacy by design and by default throughout our service:
- IP anonymization: visitor IP addresses are never stored; country is derived at the edge and only the country code is retained
- Aggregation: click analytics are aggregated daily, individual visitor journeys are not tracked
- Minimal cookies: only essential and one first-party analytics cookie; no third-party cookies
- Least privilege: team members only access data within their workspace and role permissions
- Workspace isolation: each workspace's data is logically separated at the database level
7. Data breach notification
In the event of a personal data breach, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Art. 33
- Notify affected individuals without undue delay if the breach is likely to result in high risk to their rights and freedoms, as required by Art. 34
- Document the breach including its nature, affected data, consequences, and remedial measures taken
8. Data Protection Impact Assessments
We conduct Data Protection Impact Assessments (DPIAs) for new processing activities that are likely to result in high risk to individuals' rights and freedoms, in accordance with Art. 35.
9. Exercising your rights
To exercise any of your GDPR rights:
- Submit a request via our contact page
- We may verify your identity before processing the request
- We will respond within 30 days (extendable by 60 days for complex requests, with notice)
- Requests are fulfilled free of charge unless manifestly unfounded or excessive
10. Contact
For GDPR-related inquiries or to exercise your data protection rights, reach out via our contact page.