1. Who we are
murls ("murls", "we", "us") is a link-in-bio service for businesses. It is built and operated by Ahsan Haroon, an independent founder with 12 years of experience building for the web. murls is the trading name of the service available at murls.co.
For privacy questions, you can reach the founder directly at support@murls.co — there is no third-party support team between you and the person responsible for your data.
2. What data we collect
We split data into five categories. Each one has a clear purpose and is only kept for as long as we need it (see section 6).
2.1 Account data
- Email address (required)
- Business name (optional)
- Business type (optional — e.g., restaurant, salon, freelancer)
- Password hash (when you create an account — we never see or store your plain password)
- Account creation date and last sign-in timestamp
2.2 Page content you publish
- Links, titles, descriptions, and the order of items on your murls page
- Images you upload (logo, profile photo, link thumbnails)
- Your chosen theme, colors, and page URL slug
This content is public by default— that's the point of a link-in-bio page. Don't put anything on it you wouldn't share with the world.
2.3 Usage & device data
- IP address (truncated and stored only for security and abuse prevention)
- Browser type, operating system, and device type
- Pages visited on murls.co and the order you visited them in
- Approximate location (country / city level — derived from IP, never GPS)
- Referrer URL (the website that sent you to murls.co)
2.4 Page analytics (for your murls page)
We count page views, link clicks, and tap-throughs on your murls page so you can see what works. Free accounts see total view counts. Pro accounts see per-link click counts and basic source data (e.g., "came from Instagram"). We do not place third-party cookies on your page and we do not identify individual visitors.
2.5 Marketing attribution
If you arrive at murls.co via a link with UTM parameters (e.g., from a Google or Instagram ad), we store those parameters with your account. This tells us which channels are bringing serious users so we know where to keep investing. We do not link this data to a personal profile across the internet.
2.6 Payment data
Pro payments are processed by Paddle, our Merchant of Record. We see your billing email, country, and the last four digits of your card. We never see, store, or have access to your full card number. That stays with Paddle.
3. Why we collect it (legal basis)
We collect data for clearly defined purposes. Where required, the lawful basis under GDPR and similar frameworks is listed in brackets.
- To provide the service — host your page, let you sign in, process payments. [Performance of a contract]
- To improve the product — understand which features are used and where users drop off. [Legitimate interest]
- To communicate with you — send the launch email, product updates you opted into, transactional emails about your account. [Consent or contract]
- To prevent abuse — block spam, fake signups, illegal content, brute-force login attempts. [Legitimate interest]
- To comply with law — respond to lawful government requests, tax reporting on paid plans. [Legal obligation]
4. Who we share it with
We don't sell or rent your data. We do use a small number of trusted vendors (sub-processors) to run the service. Here's the full current list — when we add or change any of these, we'll update this page.
| Vendor | Purpose | Region |
|---|---|---|
| Supabase | Database, authentication, file storage | AWS (Asia-Pacific) |
| Vercel | Web hosting and global CDN | Global edge network |
| Google Analytics 4 | Marketing site analytics (anonymized IP) | Global |
| Paddle | Payment processing & billing (Pro plan) | Global |
| Resend | Sending account & notification emails | Global |
| Meta (Pixel & Conversions API) | Measuring our own ads — the Meta Pixel runs on the murls.co marketing site only, and our server reports signups that came from our ads (hashed email + ad-click ID). Never used on published murls pages. | Global |
We share data with these vendors only to the extent needed to deliver the service. They are bound by their own contractual and regulatory obligations not to use your data for their own purposes.
Other disclosures
- Legal requests — if we receive a valid legal order from a Pakistani court or another authority with jurisdiction, we will comply. We will notify you first where the law allows it.
- Business transfers — if murls is ever acquired, merged, or transferred, your data may move to the new operator under the same terms. We will email you before this happens.
- Aggregated, non-identifying stats— we may publish aggregate numbers (e.g., "X businesses signed up this month") but never anything that can identify you.
How we compare
What "not selling data" actually means
Honest comparison against typical link-in-bio platforms. We can't speak for them — only quote what their published policies say.
| Practice | murls | Typical link-in-bio |
|---|---|---|
| Sells aggregated user data | Never | Sometimes |
| Third-party ads on free tier | None | Common |
| Trains AI on your content | No | Often unclear |
| One-click data export | Yes, free | Sometimes paid-only |
| Hard-delete on account closure | 30 days | Often retained longer |
| Direct contact with the founder | Yes | No |
6. How long we keep your data
- Marketing email list: until you unsubscribe (in which case we delete it within 30 days).
- Account & page data: for as long as your account is active. If you delete your account, we hard-delete everything within 30 days (some encrypted backups may persist for up to 90 days, then are overwritten).
- Server logs (IP, request data): 30 days.
- Billing records: kept for 7 years to comply with Pakistani tax law.
- Analytics data: aggregated event data is kept up to 26 months in Google Analytics with no personal identifiers.
7. Where your data is stored
Your account and page data is stored on Supabase (Postgres), hosted on AWS infrastructure in the Asia-Pacific region (closest to most of our users for performance).
Our website is served from Vercel's global edge network so it loads quickly wherever you are. Static files travel across this CDN but do not contain your account data.
If you're in the EU, UK, or another region with data transfer rules, by using murls you acknowledge that your data may be processed outside your home jurisdiction. We rely on the standard contractual clauses our sub-processors offer for cross-border data transfer.
8. Your rights
You have the following rights over your data, regardless of where you live. We'll honour any of these within 30 days of your request.
- Access — get a copy of the data we hold on you.
- Export (portability) — receive your data as a JSON file you can take elsewhere.
- Correction — fix anything inaccurate. Most of this you can do yourself in your account settings.
- Deletion (right to be forgotten) — delete your account and everything associated with it.
- Restrict or object — ask us to stop a specific use of your data while we look into it.
- Withdraw consent — for anything we do based on your consent (like marketing emails), pull it back any time. The link is at the bottom of every email.
- Complain— if you're in a country with a data protection regulator and you're not happy with how we've handled your request, you have the right to lodge a complaint with them.
To exercise any of these, email support@murls.co. We don't require you to use a special form — a plain-language email works.
9. How we keep your data safe
- All traffic to murls.co is encrypted in transit using TLS 1.2 or higher (HTTPS everywhere — no exceptions).
- Passwords are hashed using industry-standard algorithms by Supabase Auth. The plain-text password never leaves your browser.
- The database enforces row-level security (RLS)— even an internal query bug cannot let one user read another user's data.
- Backups are encrypted at rest.
- Access to production systems is limited to the founder and protected by 2-factor authentication.
- We follow the principle of least privilege: our sub-processors only get the data they need to do their specific job.
No system is 100% secure. If we ever discover an issue that affects your data, you'll hear from us promptly (see section 12).
10. Marketing emails
When you create an account or opt in to our updates, you may receive:
- Essential account emails (sign-up confirmation, password reset).
- Occasional product updates (no more than ~once a month).
Every marketing email has an unsubscribe link at the bottom. One click and you're out — we don't ask you to log in or jump through hoops.
Transactional emails (password reset, payment receipt, account deletion confirmation) are sent as part of the service and aren't subject to unsubscribe.
11. Children
murls is for businesses and is not directed at people under 13. We do not knowingly collect data from anyone under 13. If you believe a child has signed up, email support@murls.coand we'll remove the account.
12. Data breaches
In the unlikely event of a security incident that affects your personal data, we will:
- Contain the issue first.
- Email all affected users within 72 hours of confirmation, explaining what happened, what data was involved, and what we're doing about it.
- Notify the relevant authorities where the law requires it.
- Publish a public post-mortem after the dust settles.
13. Changes to this policy
We may update this policy as the service grows or as the law changes. For minor edits (typos, clarifying wording) we'll update the "Last updated" date at the top. For anything material — like adding a new category of data or a new sub-processor — we will email every account holder at least 14 days before the change takes effect.
14. Governing law
This policy and any disputes related to it are governed by the laws of the Islamic Republic of Pakistan. We also voluntarily follow international best practices (GDPR-style transparency and rights) to keep things consistent for our users worldwide.
We comply with the Prevention of Electronic Crimes Act 2016 (PECA) and will follow the Personal Data Protection Bill once it is enacted in Pakistan. Any disputes will be resolved in the courts of Karachi.
15. Contact us
Questions about privacy, your data, or this policy — go straight to the founder.
- Email: support@murls.co
- WhatsApp: +92 344 2092953
- Operator: Ahsan Haroon
Still want to join us?
You've read this far — you take this seriously. So do we.
Create your page freeOr read the Terms of Service next.