Skip to main content
umu

Privacy Policy

Last updated: 18.03.2026

1. Who we are and who processes your data

The data controller for personal data collected through the umu.ro platform is the umu.ro operator, a private individual operating in Romania under applicable European law. You can contact the controller by email at: i@umu.ro.

umu.ro is a link-in-bio platform for Romanian content creators and small businesses, allowing users to centralise all their important links in a single public profile at umu.ro/username.

The platform is hosted exclusively on servers within the European Union and operated in compliance with Regulation (EU) 2016/679 (GDPR) and Romanian Law No. 190/2018 implementing the GDPR.

2. What personal data we collect

We collect only the data strictly necessary for the platform to function.

2.1 Account data (provided by you)

  • Email address β€” used for authentication, identity verification, and account-related communications.
  • Username β€” chosen by you; appears in your public profile URL.
  • Password β€” stored exclusively as a bcrypt hash (minimum 12 rounds). No plain-text password is ever retained.

2.2 Profile data (optional, provided by you)

  • Display name β€” the name or pseudonym you choose to display publicly.
  • Bio β€” a short introductory text, optional.
  • Profile photo β€” if you choose to upload one; stored on our EU-based servers.

2.3 Links added by you

The URLs and titles of links you add to your profile. You can manage, edit, or delete them at any time from your dashboard. URLs are validated to allow only http:// and https:// protocols.

2.4 Handle claim requests (waitlist)

If you submitted a handle claim form before registering, we stored your email and desired handle solely to process that request. This data is deleted after the request is processed (approved or declined).

2.5 Anonymised analytics data (link clicks)

When someone visits your public profile and clicks a link, we record:

  • Device type β€” derived from the browser's user-agent string (desktop / mobile / tablet).
  • Referrer URL β€” the page the visitor came from, if available.
  • Country β€” derived from the visitor's IP address via a local GeoIP database stored on our server, processed at the moment of the click. The raw IP address is never stored or transmitted.

The analytics system is self-hosted β€” no data is transmitted to any third-party platform. We do not create individual visitor profiles. We do not use tracking cookies for public profiles.

2.6 Authentication cookies

We use two HTTP-only cookies to manage your authenticated session:

  • access_token β€” JWT access token, valid for 15 minutes.
  • refresh_token β€” session renewal token, valid for 7 days, rotated on each use and automatically invalidated on logout.

These cookies are marked HttpOnly and Secure β€” they cannot be accessed by JavaScript and are transmitted exclusively over HTTPS. For security purposes, your session is automatically terminated after 15 minutes of inactivity.

2.7 Data stored locally in your browser (localStorage)

Certain preferences and session data are stored exclusively on your device in localStorage. These are never transmitted to our servers:

  • umu_lang β€” your language preference (Romanian / English).
  • umu_loved_links β€” the list of links you have "loved" on public profiles, stored locally to avoid repeating the action.
  • umu_visitor_token β€” a randomly generated anonymous visitor session identifier used to deduplicate likes on the same device. It contains no personal data and cannot be linked to your identity.

You can delete this data at any time by clearing site data in your browser settings.

2.8 GDPR consent preference

We store your cookie preference (gdpr_consent) to respect your stated choice and avoid showing the consent banner on every visit.

3. What data we do NOT collect

  • We do not use Google Analytics, Facebook Pixel, or any third-party advertising tracking service.
  • We do not collect or store raw IP addresses β€” ever.
  • We do not collect GPS location data.
  • We do not access call logs, contacts, or any other data on your device.
  • We do not build individual behavioural profiles for advertising purposes.
  • We do not use browser fingerprinting techniques.

4. Legal basis for processing

Data categoryLegal basisGDPR article
Account dataPerformance of a contractArt. 6(1)(b)
Profile dataPerformance of a contractArt. 6(1)(b)
Added linksPerformance of a contractArt. 6(1)(b)
Handle claim requestsConsentArt. 6(1)(a)
Anonymised analytics dataLegitimate interestArt. 6(1)(f)
Authentication cookiesPerformance of a contractArt. 6(1)(b)
localStorage data (preferences, visitor token)Legitimate interestArt. 6(1)(f)
GDPR consent preferenceLegal obligation / legitimate interestArt. 6(1)(c)(f)

Processing based on legitimate interest (Art. 6(1)(f)) has been assessed through a balancing test β€” our interest in providing profile analytics and preventing spam does not override your fundamental rights and freedoms, particularly given that data is anonymised and stored locally.

5. Data retention periods

Data categoryRetention period
Account and profile dataFor the duration of the active account; permanently deleted within 30 days of account deletion.
Added linksFor the duration of the account or upon explicit request.
Handle claim requestsDeleted after the request is processed (approved or declined).
Anonymised analytics data24 months from recording, then automatically deleted.
Authentication cookiesaccess_token: 15 min Β· refresh_token: 7 days Β· session: max 15 min inactivity
localStorage dataStored locally on your device until manually cleared or upon account deletion.

6. Your rights as a data subject

Under the GDPR (Regulation (EU) 2016/679) and Romanian Law No. 190/2018, you have the following rights:

  • Right of access (Art. 15 GDPR) β€” you may request a copy of the data we hold about you.
  • Right to rectification (Art. 16 GDPR) β€” you may correct inaccurate data directly from your dashboard or by email.
  • Right to erasure (Art. 17 GDPR) β€” you may request deletion of your account and all associated data.
  • Right to data portability (Art. 20 GDPR) β€” you may request an export of your data in a structured, machine-readable format.
  • Right to restriction of processing (Art. 18 GDPR) β€” in certain circumstances, you may request that we limit the processing of your data.
  • Right to object (Art. 21 GDPR) β€” you may object to processing based on legitimate interest.
  • Right not to be subject to automated decision-making (Art. 22 GDPR) β€” we do not use automated decision-making with legal effects.

To exercise any of these rights, contact us at i@umu.ro. We will respond within a maximum of 30 calendar days, as required by Art. 12 GDPR.

7. Right to lodge a complaint

If you believe that the processing of your personal data infringes the GDPR or Romanian Law No. 190/2018, you have the right to lodge a complaint with the Romanian supervisory authority:

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)

Bd. G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest 010336
dataprotection.ro Β· anspdcp@dataprotection.ro

You also have the right to bring proceedings before a court of competent jurisdiction in accordance with Art. 79 GDPR.

8. Data transfers outside the EU/EEA

Your data is stored and processed exclusively on servers located within the European Union. We do not transfer personal data to countries outside the EU/EEA. We do not use cloud services or sub-processors established outside the European Economic Area.

9. Sharing with third parties and sub-processors

We do not sell, rent, or trade your personal data.

The only sub-processor involved is the hosting provider (EU-based VPS), which has limited access to the infrastructure on which the platform runs, under a Data Processing Agreement (DPA) in accordance with Art. 28 GDPR. The provider does not process your data for its own purposes.

If Romanian or European law requires us to disclose data to competent authorities, we will do so only to the extent required by law and, where possible, will notify you in advance.

10. Data security

We implement appropriate technical and organisational measures to protect your data, in accordance with Art. 32 GDPR:

  • All communications exclusively over HTTPS (TLS).
  • Passwords stored as bcrypt hashes with a minimum of 12 salt rounds.
  • Short-lived authentication tokens with automatic rotation.
  • Session automatically terminated after 15 minutes of inactivity.
  • Password reset tokens are single-use, valid for a maximum of 1 hour, and deleted after use.
  • IP addresses are never stored β€” anonymised at the point of collection.
  • Database access restricted to the internal Docker network β€” no public exposure.

11. Data breach notification

In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you without undue delay, in accordance with Art. 34 GDPR, and will report the breach to the ANSPDCP within 72 hours, in accordance with Art. 33 GDPR.

12. Changes to this policy

We reserve the right to update this Privacy Policy periodically. Any significant changes will be communicated to registered users by email at least 14 days before they take effect. The date of the last update is displayed at the top of this document. Continued use of the platform after the effective date constitutes implicit acceptance of the changes.

13. Contact

For any questions or requests regarding your personal data:

Email: i@umu.ro

Website: umu.ro