Back to homepage

Legal

Privacy Policy

Effective date: 2 June 2026 · Last updated: 2 June 2026

The short version

  • ·We never sell your data — not to advertisers, not to data brokers, not ever.
  • ·We collect the minimum needed to run your murls page and email you product updates.
  • ·You can export or delete all your data anytime — just email us.
  • ·We do not place third-party ads or tracking pixels on your public murls page.
  • ·We use Google Analytics on murls.co (the marketing site only) to understand what works.

The detailed version follows. Skip to a section using the table of contents below.

Our Privacy Pledge

Seven promises in plain English. We will not change these without telling you 14 days in advance.

  • We will never sell your data. Not to advertisers, not to data brokers, not to AI companies — not ever.
  • We will never train AI models on your data. Your page, content, and analytics stay yours.
  • Export everything in one click. Machine-readable JSON, no support tickets, no waiting.
  • Delete everything in one click. Hard-deleted within 30 days. No dark patterns, no retention games.
  • No ads, no tracking pixels, no third-party scripts on your published page. We count views anonymously so you see your stats — never to surveil or sell. Your page stays clean. The product is the product, not you.
  • If we ever shut down, you get 90 days. Notice, export, time to move your custom domain. No silent disappearances.
  • If we get acquired, you decide. 30 days notice. Stay under the same terms, or take your data and leave.

Common concerns — straight answers

The real questions we hear from business owners weighing whether to sign up. Real answers, no spin.

"What if murls shuts down? I'd lose my page."
You'd get 90 days' notice and a one-click export of everything. Your custom domain is yours — point it elsewhere the same day. We will not vanish without warning.
"What if I want to leave for another platform?"
Click export, get a JSON file, take it to any other tool you want. Your data, your call — we add no friction at the exit.
"Can a competitor see my analytics or unpublished drafts?"
Your published murls page is public (that's the point). Your analytics, drafts, and settings are private and protected by database-level row security. No other account can read your data — not even by accident.
"Can the government access my data?"
Only with a valid court order. We will push back on requests that don't meet that bar, and we'll notify you whenever the law allows it. Starting at 1,000 users we'll publish an annual transparency report.
"Are payments safe? What about my customers' cards?"
murls doesn't process your customers' payments — your page just links out to your existing checkout. For Pro plan billing, we use Paddle, our Merchant of Record (PCI-DSS Level 1, the highest standard). We never see your full card number.
"I have customers in the EU. Will using murls give me GDPR headaches?"
No. We voluntarily follow GDPR principles — transparency, consent, the right to be forgotten, data portability — even where they aren't legally required of us. You can run an EU-facing business on murls without compliance worry.
"Do you train AI models on my page or data?"
No. We do not train, sell, license, or share your data with any AI provider. Full stop.
"You're a solo founder. What if you get hit by a bus?"
Fair question. The service runs on automated infrastructure (Vercel, Supabase) that keeps your page online without manual intervention. A trusted technical executor has documented credentials and instructions to keep things running and to give every user 90 days' export notice if continuation isn't possible.

1. Who we are

murls ("murls", "we", "us") is a link-in-bio service for businesses. It is built and operated by Ahsan Haroon, an independent founder with 12 years of experience building for the web. murls is the trading name of the service available at murls.co.

For privacy questions, you can reach the founder directly at support@murls.co — there is no third-party support team between you and the person responsible for your data.

2. What data we collect

We split data into five categories. Each one has a clear purpose and is only kept for as long as we need it (see section 6).

2.1 Account data

  • Email address (required)
  • Business name (optional)
  • Business type (optional — e.g., restaurant, salon, freelancer)
  • Password hash (when you create an account — we never see or store your plain password)
  • Account creation date and last sign-in timestamp

2.2 Page content you publish

  • Links, titles, descriptions, and the order of items on your murls page
  • Images you upload (logo, profile photo, link thumbnails)
  • Your chosen theme, colors, and page URL slug

This content is public by default— that's the point of a link-in-bio page. Don't put anything on it you wouldn't share with the world.

2.3 Usage & device data

  • IP address (truncated and stored only for security and abuse prevention)
  • Browser type, operating system, and device type
  • Pages visited on murls.co and the order you visited them in
  • Approximate location (country / city level — derived from IP, never GPS)
  • Referrer URL (the website that sent you to murls.co)

2.4 Page analytics (for your murls page)

We count page views, link clicks, and tap-throughs on your murls page so you can see what works. Free accounts see total view counts. Pro accounts see per-link click counts and basic source data (e.g., "came from Instagram"). We do not place third-party cookies on your page and we do not identify individual visitors.

2.5 Marketing attribution

If you arrive at murls.co via a link with UTM parameters (e.g., from a Google or Instagram ad), we store those parameters with your account. This tells us which channels are bringing serious users so we know where to keep investing. We do not link this data to a personal profile across the internet.

2.6 Payment data

Pro payments are processed by Paddle, our Merchant of Record. We see your billing email, country, and the last four digits of your card. We never see, store, or have access to your full card number. That stays with Paddle.

3. Why we collect it (legal basis)

We collect data for clearly defined purposes. Where required, the lawful basis under GDPR and similar frameworks is listed in brackets.

  • To provide the service — host your page, let you sign in, process payments. [Performance of a contract]
  • To improve the product — understand which features are used and where users drop off. [Legitimate interest]
  • To communicate with you — send the launch email, product updates you opted into, transactional emails about your account. [Consent or contract]
  • To prevent abuse — block spam, fake signups, illegal content, brute-force login attempts. [Legitimate interest]
  • To comply with law — respond to lawful government requests, tax reporting on paid plans. [Legal obligation]

4. Who we share it with

We don't sell or rent your data. We do use a small number of trusted vendors (sub-processors) to run the service. Here's the full current list — when we add or change any of these, we'll update this page.

VendorPurposeRegion
SupabaseDatabase, authentication, file storageAWS (Asia-Pacific)
VercelWeb hosting and global CDNGlobal edge network
Google Analytics 4Marketing site analytics (anonymized IP)Global
PaddlePayment processing & billing (Pro plan)Global
ResendSending account & notification emailsGlobal
Meta (Pixel & Conversions API)Measuring our own ads — the Meta Pixel runs on the murls.co marketing site only, and our server reports signups that came from our ads (hashed email + ad-click ID). Never used on published murls pages.Global

We share data with these vendors only to the extent needed to deliver the service. They are bound by their own contractual and regulatory obligations not to use your data for their own purposes.

Other disclosures

  • Legal requests — if we receive a valid legal order from a Pakistani court or another authority with jurisdiction, we will comply. We will notify you first where the law allows it.
  • Business transfers — if murls is ever acquired, merged, or transferred, your data may move to the new operator under the same terms. We will email you before this happens.
  • Aggregated, non-identifying stats— we may publish aggregate numbers (e.g., "X businesses signed up this month") but never anything that can identify you.

How we compare

What "not selling data" actually means

Honest comparison against typical link-in-bio platforms. We can't speak for them — only quote what their published policies say.

PracticemurlsTypical link-in-bio
Sells aggregated user dataNeverSometimes
Third-party ads on free tierNoneCommon
Trains AI on your contentNoOften unclear
One-click data exportYes, freeSometimes paid-only
Hard-delete on account closure30 daysOften retained longer
Direct contact with the founderYesNo

5. Cookies & tracking

We use a deliberately small number of cookies. Here's the full breakdown.

CookiePurposeLifetimeCategory
Supabase authKeeps you signed in1 weekEssential
_ga, _ga_*Google Analytics — count unique visitsUp to 2 yearsAnalytics

We do not use:

  • Third-party tracking of any kind on your published murls page — no analytics scripts, no ad pixels, nothing. Your visitors only see what you put there.
  • Fingerprinting or session-replay tools.
  • Selling or renting anyone's data, ever.

What we do use, on the murls.co marketing site only: Google Analytics to measure how our own pages perform. The line that never moves: none of this ever runs on a published murls page.

6. How long we keep your data

  • Marketing email list: until you unsubscribe (in which case we delete it within 30 days).
  • Account & page data: for as long as your account is active. If you delete your account, we hard-delete everything within 30 days (some encrypted backups may persist for up to 90 days, then are overwritten).
  • Server logs (IP, request data): 30 days.
  • Billing records: kept for 7 years to comply with Pakistani tax law.
  • Analytics data: aggregated event data is kept up to 26 months in Google Analytics with no personal identifiers.

7. Where your data is stored

Your account and page data is stored on Supabase (Postgres), hosted on AWS infrastructure in the Asia-Pacific region (closest to most of our users for performance).

Our website is served from Vercel's global edge network so it loads quickly wherever you are. Static files travel across this CDN but do not contain your account data.

If you're in the EU, UK, or another region with data transfer rules, by using murls you acknowledge that your data may be processed outside your home jurisdiction. We rely on the standard contractual clauses our sub-processors offer for cross-border data transfer.

8. Your rights

You have the following rights over your data, regardless of where you live. We'll honour any of these within 30 days of your request.

  • Access — get a copy of the data we hold on you.
  • Export (portability) — receive your data as a JSON file you can take elsewhere.
  • Correction — fix anything inaccurate. Most of this you can do yourself in your account settings.
  • Deletion (right to be forgotten) — delete your account and everything associated with it.
  • Restrict or object — ask us to stop a specific use of your data while we look into it.
  • Withdraw consent — for anything we do based on your consent (like marketing emails), pull it back any time. The link is at the bottom of every email.
  • Complain— if you're in a country with a data protection regulator and you're not happy with how we've handled your request, you have the right to lodge a complaint with them.

To exercise any of these, email support@murls.co. We don't require you to use a special form — a plain-language email works.

9. How we keep your data safe

  • All traffic to murls.co is encrypted in transit using TLS 1.2 or higher (HTTPS everywhere — no exceptions).
  • Passwords are hashed using industry-standard algorithms by Supabase Auth. The plain-text password never leaves your browser.
  • The database enforces row-level security (RLS)— even an internal query bug cannot let one user read another user's data.
  • Backups are encrypted at rest.
  • Access to production systems is limited to the founder and protected by 2-factor authentication.
  • We follow the principle of least privilege: our sub-processors only get the data they need to do their specific job.

No system is 100% secure. If we ever discover an issue that affects your data, you'll hear from us promptly (see section 12).

10. Marketing emails

When you create an account or opt in to our updates, you may receive:

  • Essential account emails (sign-up confirmation, password reset).
  • Occasional product updates (no more than ~once a month).

Every marketing email has an unsubscribe link at the bottom. One click and you're out — we don't ask you to log in or jump through hoops.

Transactional emails (password reset, payment receipt, account deletion confirmation) are sent as part of the service and aren't subject to unsubscribe.

11. Children

murls is for businesses and is not directed at people under 13. We do not knowingly collect data from anyone under 13. If you believe a child has signed up, email support@murls.coand we'll remove the account.

12. Data breaches

In the unlikely event of a security incident that affects your personal data, we will:

  • Contain the issue first.
  • Email all affected users within 72 hours of confirmation, explaining what happened, what data was involved, and what we're doing about it.
  • Notify the relevant authorities where the law requires it.
  • Publish a public post-mortem after the dust settles.

13. Changes to this policy

We may update this policy as the service grows or as the law changes. For minor edits (typos, clarifying wording) we'll update the "Last updated" date at the top. For anything material — like adding a new category of data or a new sub-processor — we will email every account holder at least 14 days before the change takes effect.

14. Governing law

This policy and any disputes related to it are governed by the laws of the Islamic Republic of Pakistan. We also voluntarily follow international best practices (GDPR-style transparency and rights) to keep things consistent for our users worldwide.

We comply with the Prevention of Electronic Crimes Act 2016 (PECA) and will follow the Personal Data Protection Bill once it is enacted in Pakistan. Any disputes will be resolved in the courts of Karachi.

15. Contact us

Questions about privacy, your data, or this policy — go straight to the founder.

Still want to join us?

You've read this far — you take this seriously. So do we.

Create your page free

Or read the Terms of Service next.