Back to site

Legal

Privacy Policy

Last updated: April 20, 2026 · Effective: April 20, 2026

1. Who controls your data

For the purposes of the Kenyan Data Protection Act, 2019 and, where applicable, the EU General Data Protection Regulation (GDPR) and the UK GDPR, the data controller is:

Ronomade Technologies LTD
9 West Building, Outer ring Road, Westlands
Kenya
privacy@ilead.to

This Privacy Policy explains what personal information we collect, how we use it, and the rights you have over it.

2. Information we collect

2.1 Information you give us

  • Account information. When you register, we collect your email address and a password. We store your password as a one-way bcrypt hash, not in plaintext, and we cannot recover it.
  • Link content. The destination URLs you submit, any custom aliases you claim, and the short codes we generate.
  • Support correspondence. The content of messages you send to our support, billing, abuse, or legal email addresses.
  • Payment information. If you subscribe to Pro, our payment processor (for example, M-Pesa Daraja, Stripe, or Paystack) collects the payment details needed to process the transaction. We do not store full card numbers. We receive only the information the processor returns, such as a masked card reference, transaction ID, and payment status.

2.2 Information we collect automatically

  • Technical data. IP address, user-agent string (browser and operating system), and the date and time of your requests. We store the IP address associated with link creation in binary form for abuse prevention and rate limiting.
  • Click data. When someone follows a short link you created, we increment a click counter and record the timestamp of the most recent click. We do not currently log individual click IP addresses or user agents for your links; if we introduce more detailed analytics in future, we will update this Policy.
  • Session data. When you sign in, we create a server-side session identified by a first-party cookie (see Section 5).
  • Rate-limiting data. Short-term records linking your IP address to actions (shortening, login attempts, alias checks) so we can enforce our limits and detect abuse.

3. Why we use it and legal bases

We process your personal information for the following purposes. Under GDPR / UK GDPR, we rely on the listed legal bases.

PurposeData usedLegal basis
Providing the Service (shortening, resolving, dashboard)Account, link, technical, sessionPerformance of contract
Processing Pro subscriptionsAccount, payment processor referencesPerformance of contract
Preventing abuse and fraud; rate limiting; investigating acceptable-use violationsTechnical, rate-limit, linkLegitimate interests (keeping the Service safe and fair)
Improving and securing the ServiceTechnical, aggregate click dataLegitimate interests
Responding to support, legal, abuse, and privacy requestsAccount, correspondenceLegitimate interests / legal obligation
Complying with law, court orders, regulator requestsAny relevant dataLegal obligation
Sending essential service emails (security alerts, billing, material Terms changes)Account, emailPerformance of contract / legitimate interests

We do not currently send marketing emails. If that changes, we will ask for your consent and give you an opt-out in every message.

4. When we share information

We do not sell your personal information, and we do not share it for cross-context behavioural advertising.

We share information only as follows:

  • Service providers (data processors). Trusted vendors that help us run the Service — for example, our hosting provider, database host, payment processor, transactional email provider, and error-monitoring service. They are bound by written contracts to process data only on our instructions and to protect it.
  • Legal and safety. We will disclose information to law-enforcement, regulators, or courts when required by valid legal process in Kenya or another applicable jurisdiction, or when we reasonably believe disclosure is necessary to prevent imminent harm or protect our or others' rights.
  • Business transfers. If we are involved in a merger, acquisition, restructuring, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will notify you by email and post a prominent notice before the transfer takes effect.
  • With your direction. When you ask us to share, for example by using a third-party integration you have authorised.

5. Cookies

We use cookies sparingly. The cookies we currently set are:

  • ilead_sid — strictly necessary, session. Keeps you signed in. Set when you start a session and cleared when you sign out. Marked HttpOnly, SameSite=Lax, and Secure over HTTPS.

Strictly necessary cookies do not require consent under Kenyan law, the EU ePrivacy Directive, or the UK PECR. We do not use analytics, advertising, or tracking cookies. If that changes, we will add a consent banner and update this Policy.

6. How long we keep it

  • Account data. Kept for as long as your account is active. If you delete your account, we delete or anonymise your personal account data within 30 days, except where we must keep records longer for legal, tax, or dispute-resolution reasons.
  • Link data. Kept as long as the link is live. If you delete a link, we remove it from active resolution immediately and from backups within the backup rotation period (up to 30 days).
  • Rate-limit records. Kept for the length of the rate-limit window, typically no longer than 60 minutes, and purged continuously.
  • Payment records. Kept for at least 7 years to comply with Kenyan tax and accounting obligations.
  • Abuse and security records. Kept as long as necessary to protect the Service and users, typically no longer than 24 months.

7. Your rights

Subject to local law, you have rights over your personal information. These include:

  • Access — request a copy of the personal information we hold about you;
  • Correction — ask us to fix inaccurate information;
  • Deletion — ask us to delete your personal information (subject to legal retention obligations);
  • Portability — request a machine-readable copy of the information you provided to us;
  • Restriction — ask us to limit how we use your information while a request is being resolved;
  • Objection — object to processing that relies on legitimate interests;
  • Withdraw consent — where we rely on consent, withdraw it at any time (this does not affect past processing); and
  • Complain — lodge a complaint with a data-protection authority. In Kenya, this is the Office of the Data Protection Commissioner (ODPC). In the EU, the supervisory authority of your country. In the UK, the Information Commissioner's Office (ICO).

To exercise any of these rights, email privacy@ilead.to. We will respond within the timeframe required by applicable law (typically 30 days in Kenya under the Data Protection Act, 2019). We may ask you to verify your identity before acting on a request.

8. How we protect your data

We apply technical and organisational measures appropriate to the sensitivity of the data we hold, including:

  • HTTPS (TLS) for all public traffic;
  • Bcrypt password hashing with a work factor that is updated over time;
  • Parameterised database queries and strict input validation;
  • CSRF protection, rate limiting, content-security policies, and other hardening;
  • Access controls and the principle of least privilege for internal access;
  • Logging and monitoring of administrative actions; and
  • Regular backups with restricted access.

No online service can guarantee absolute security. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant authorities as required by law.

9. International transfers

We are based in Kenya. Our service providers may process your data outside Kenya, including in the European Economic Area, the United Kingdom, and the United States. Where we transfer personal data outside your country, we rely on appropriate safeguards, such as:

  • adequacy decisions issued by the Office of the Data Protection Commissioner, the European Commission, or the UK Information Commissioner;
  • standard contractual clauses; or
  • transfers necessary for the performance of a contract with you.

You can ask us for more information about the safeguards we use by emailing privacy@ilead.to.

10. Children

The Service is not directed to children under 13, and under 16 if you are in the European Economic Area or the United Kingdom. We do not knowingly collect personal information from children below these ages. If you believe a child has provided us with personal information, please contact privacy@ilead.to and we will delete the information promptly.

11. Third-party destinations

When a short link redirects to a destination URL, that destination is operated by a third party, not by us. We are not responsible for the privacy practices or content of third-party websites. You should review the privacy policies of websites you visit.

12. Changes to this Policy

We may update this Policy to reflect changes in our practices or the law. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will give reasonable notice by email and a prominent in-product notice. Continued use of the Service after the effective date means you accept the updated Policy.

13. Contact

For privacy questions, complaints, or to exercise your rights:

Ronomade Technologies LTD
9 West Building, Outer ring Road, Westlands
Kenya
privacy@ilead.to

If you do not receive a timely or satisfactory response, you may contact the Office of the Data Protection Commissioner of Kenya at odpc.go.ke.

↑ Back to top