a11y.skipToContent
umu

Privacy Policy

Last updated: 19.04.2026

1. Who we are

The data controller for umu.ro is a private individual based in Romania. Contact: i@umu.ro.

The platform is hosted exclusively on EU-based servers and operated in compliance with GDPR (Regulation (EU) 2016/679) and Romanian Law no. 190/2018.

2. What data we collect

2.1 Account data

  • Email address — for authentication and account communications.
  • Username — chosen by you; appears in your public profile URL.
  • Password — stored exclusively as a bcrypt hash (min. 12 rounds). No plaintext passwords are ever retained.
  • OAuth identifiers — if you sign in with Google, we store the unique ID provided by that service.

2.2 Profile data (optional)

  • Display name, bio, profile photo, location, pronouns.

2.3 Anonymised analytics

When a link on your profile is clicked, we record: device type, referrer URL, country (derived from IP — the raw IP is never stored). The analytics system is self-hosted; data does not reach third parties.

2.4 Authentication cookies

  • access_token — JWT valid for 15 minutes.
  • refresh_token — renewal token valid for 7 days, rotated on each use and invalidated on sign-out.

Both cookies are HttpOnly and Secure — inaccessible to JavaScript.

2.5 Local storage data

  • umu_lang — language preference.
  • umu_loved_links — links you've liked, stored locally.
  • umu_visitor_token — anonymous session identifier for deduplicating likes.

These items are never transmitted to our servers.

3. Legal basis for processing

  • Contract performance (Art. 6(1)(b) GDPR) — for account and profile data.
  • Legitimate interest (Art. 6(1)(f) GDPR) — for anonymised click analytics.
  • Legal obligation (Art. 6(1)(c) GDPR) — for applicable legal requirements.

4. Who we share data with

We do not sell or transfer your data to third parties for advertising purposes.

  • Stripe (USA) — payment processor for Pro subscriptions, with adequate contractual safeguards (DPA + EU SCCs).
  • Sentry (USA) — error monitoring platform, with adequate contractual safeguards.

5. How long we keep data

  • Account and profile data — for the lifetime of your account + 30 days after deletion.
  • Aggregated analytics — up to 24 months.
  • Security logs — up to 90 days.

6. Your rights (GDPR)

You have the right to: access, rectification, erasure, restriction of processing, data portability, objection, and withdrawal of consent. Exercise these rights by emailing i@umu.ro. We will respond within 30 days.

If you believe your rights have not been respected, you may lodge a complaint with your national supervisory authority. In Romania: ANSPDCP (dataprotection.ro).

7. Security

We use TLS/HTTPS for all communications, bcrypt for passwords, HttpOnly + Secure cookies, refresh token rotation, and automated dependency scanning. Infrastructure is EU-hosted.

8. Changes to this policy

Significant changes will be communicated by email at least 14 days before they take effect.

9. Contact

Email: i@umu.ro