Privacy Policy

Last Updated: April 1, 2026 · Effective: April 1, 2026

Data Controller: Necati Atahan

1. Introduction

bah.is ("Necati Atahan," "we," "our," "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our website (https://bah.is) and services (collectively, the "Services").

This Privacy Policy is an integral part of our Terms of Service. By using our Services, you agree to the practices described in this policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address
  • Username
  • Password (stored in hashed form only)
  • Account creation date and time

2.2 Service Usage Data

When you use our Services, the following data may be collected automatically:

  • Short links created and their destination URLs
  • Click data (timestamp, country/region, device type, browser, referring page)
  • API usage logs (endpoints called, timestamps, response codes)

2.3 Technical Data

  • Browser type and version
  • Operating system
  • Device type
  • Screen resolution
  • Language preference
  • Access timestamps

2.4 Payment Information

When you purchase a paid plan, your payment information is processed directly by our payment processor (Stripe). bah.is does not store, access, or process your credit card numbers, CVV codes, or full payment credentials. We receive only a transaction identifier, plan type, and billing status from Stripe.

2.5 IP Address Processing

IP addresses are processed for service security and abuse prevention purposes. Our IP address processing methods are described in detail in our Cookie Policy.

2.6 Communications Data

If you contact us for support or other inquiries, we may collect your name, email address, and the content of your communications.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing, maintaining, and improving the Services
  • Account management and authentication
  • Providing click analytics and reporting to link owners
  • Preventing abuse, fraud, and ensuring platform security
  • Complying with legal obligations and responding to lawful requests
  • Providing technical support
  • Billing, invoicing, and payment processing
  • Sending marketing communications (only with your explicit opt-in consent)
  • Generating aggregated, anonymized statistics about platform usage

4. Information Sharing

We do not sell your personal information.

We may share your information with third parties only in the following circumstances:

4.1 Service Providers

Trusted third-party service providers that help us deliver the Services:

  • Cloudflare: Content delivery, DNS, security, and performance optimization (infrastructure provider)
  • Stripe: Payment processing (payment processor)

Each service provider is contractually obligated to process data only for the purposes of providing their services to us and to maintain appropriate security measures.

4.2 Legal Requirements

When required by applicable law, valid court order, subpoena, or government request. We will attempt to notify you before disclosing your information unless prohibited by law. See our Law Enforcement Request Policy for details.

4.3 Rights and Safety Protection

When we believe in good faith that disclosure is necessary to protect our rights, your safety, the safety of others, or to investigate fraud or a security incident.

4.4 Business Transfer

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be included among the transferred assets. We will notify you by email and/or prominent notice on our website before your information becomes subject to a different privacy policy.

4.5 Aggregated Data

We may share aggregated, de-identified data that cannot reasonably be used to identify you. Such data is not considered personal information under this policy.

5. Data Retention Schedule

Data Category Retention Period Deletion Method
Account informationDuration of active account + 30 days after closurePermanent deletion
Click analyticsDuration of active account + 30 days after closurePermanent deletion
Billing records7 years from the relevant transaction (legal requirement)Deletion after legal period
Technical logsMaximum 90 daysAutomatic rotation
Marketing consent recordsDuration of consent + 3 years after withdrawal (for proof)Deletion after period
Agreement consent recordsDuration of active account + 3 years after closureDeletion after period
Support correspondence2 years from last interactionPermanent deletion
Abuse/security investigation records3 years from resolutionPermanent deletion

5.1 Legal Hold

In the event of an ongoing legal proceeding, investigation, or legal obligation, relevant data may be retained beyond the periods above for as long as necessary.

6. Account Deletion and Data Processing

6.1 Deletion Request

You may close your account through your account settings or by sending an email to legal@bah.is.

6.2 Deletion Process

Following an account closure request:

  1. Immediately: Account access is disabled and short links cease to resolve
  2. Within 30 days: All personal data, click analytics, consent records, and account data are permanently deleted
  3. Subject to legal retention: Billing records are retained for the legally required 7-year period

6.3 Recovery Period

Within 14 days of an account closure request, you may reactivate your account by writing to legal@bah.is. After 14 days, the deletion process is irreversible.

6.4 Backup Systems

Data in backup systems is automatically purged within the normal backup rotation cycle (maximum 30 days after deletion from primary systems).

7. User Rights

7.1 All Users

All users have the following rights, which may be exercised by contacting legal@bah.is:

  • Right of access: To obtain a copy of the personal data we hold about you
  • Right of rectification: To request correction of inaccurate or incomplete data
  • Right of deletion: To request deletion of your personal data
  • Right of objection: To object to certain types of data processing
  • Right of portability: To request your data in a structured, machine-readable format (JSON or CSV)
  • Right to withdraw consent: To withdraw marketing or other optional consents at any time

We will respond to all rights requests within 30 days. If a request is complex, we may extend this period by an additional 30 days with notice to you.

7.2 Identity Verification

Before fulfilling a rights request, we may need to verify your identity to prevent unauthorized access to personal data.

8. Regional Privacy Rights

8.1 European Union Residents (GDPR)

If you reside in the EU or EEA, you have additional rights under the General Data Protection Regulation:

  • Legal basis for processing: Performance of contract (providing the Services), legitimate interest (security, abuse prevention), and explicit consent (marketing)
  • Right to lodge a complaint with your local Data Protection Authority
  • Right to object to automated decision-making processes
  • Right to restriction of processing in certain circumstances
  • Data transfers: When your data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place

8.2 California Residents (CCPA/CPRA)

If you are a California resident:

  • You have the right to know the categories and purposes of personal information we collect
  • You may request deletion of your personal information
  • You have the right to opt out of the sale or sharing of personal information — we do not sell or share your personal information as defined under the CCPA/CPRA
  • You will not be discriminated against for exercising these rights
  • You may designate an authorized agent to make requests on your behalf

8.3 Other US State Privacy Rights

Additional state privacy laws (including those in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others) may grant you similar rights. For information about your state-specific rights, contact legal@bah.is.

8.4 Turkey Residents (KVKK)

If you reside in Turkey, under the Personal Data Protection Law No. 6698 ("KVKK"):

  • You have the right to learn whether your personal data has been processed
  • You may request information regarding the processing
  • You may learn the purpose of processing and whether data is used in accordance with its purpose
  • You may request correction of incomplete or inaccurate personal data
  • You may request deletion or destruction under the conditions set forth in Article 7 of KVKK
  • You have the right to file a complaint with the Personal Data Protection Board (KVKK Kurulu)

9. Children's Privacy

Our Services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from individuals under 18. If we become aware that we have collected personal data from someone under 18, we will promptly delete the relevant information and terminate the associated account.

10. Security

We implement commercially reasonable security measures to protect your personal information, including encryption in transit (TLS), hashed password storage, access controls, and regular security reviews. However, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

For details about our security practices, see our Security Policy.

11. International Data Transfers

If you access the Services from outside the United States, your information may be transferred to and processed in the United States. By using the Services, you consent to such transfer. We take steps to ensure your data receives adequate protection in accordance with applicable law.

12. Third-Party Links

Our Services inherently involve links to third-party websites. We have no control over the privacy policies or practices of destination websites and are not responsible for them. We encourage you to review the privacy policies of any website you visit through our short links.

13. Policy Changes

We may update this Privacy Policy from time to time. For material changes:

  • A notification will be sent to the email address registered to your account
  • Changes will be posted on this page with a revised effective date
  • Material changes will be announced at least 14 days before taking effect

14. Contact and Data Controller

For questions about this Privacy Policy, to exercise your rights, or to file a complaint:

  • Data Controller: Necati Atahan
  • Email: legal@bah.is
  • Web: https://bah.is
  • Mailing Address: 9528 Miramar Rd #1225 San Diego, CA 92126

© 2026 Necati Atahan — All rights reserved.