Introduction
At dar.vin we believe in radical transparency about your data. Operating as a collaboration between Evrim Ağacı and NTX Web Design, we have built an infrastructure that respects your privacy while providing detailed analytics. This document explains exactly what information we handle, how long it lives on our servers, and the rights you have to control it.
What We Collect
In plain words. We collect only the basic details needed to run your account and the specific analytical data required to show you how your links are performing.
When you interact with dar.vin, we collect data across three distinct categories. First, regarding your account, we collect your email address, your chosen username, a securely bcrypt-hashed version of your password, and an optional Evrim Ağacı OAuth link if you choose that login method.
Second, regarding the links you create, we store the original long URL, the short slug we generate, the creation timestamp, and any custom slug or secret key you manually provide to secure the link.
Third, regarding click events on those links, our systems record the timestamp of the click, a securely hashed version of the visitor's IP address, the user agent string, the referer header, and parsed geographical data including country, region, and interpreted device type.
Why We Collect It
In plain words. We process this data to provide the core service you signed up for, and we keep security logs to prevent abuse of the platform.
Under the Turkish Personal Data Protection Law (KVKK, Law No. 6698) and the GDPR, we process your account and link data based on your explicit consent granted during the registration process. This data is structurally necessary to operate the URL shortening service, maintain your dashboard, and attribute link ownership to you. The analytical click-event data and our system security logs are processed under the legal basis of legitimate interest. We need this telemetry to detect fraudulent behaviour, mitigate DDoS attacks, and provide the analytical dashboard that is a core feature of dar.vin.
How Long We Keep It
In plain words. We keep your account data until you delete it. We aggressively anonymise visitor IP addresses every week and keep high-level analytics forever.
Raw IP addresses captured during click events are hashed weekly using the SHA-256 algorithm combined with a monthly rotating salt. We guarantee that unhashed, raw IP addresses are never retained anywhere in our databases or logs beyond a maximum of 7 days.
Once the visitor data is anonymised and aggregated into high-level metrics (such as total country counts or referer domain counts), the aggregated, non-identifiable data is kept indefinitely to preserve your historical link analytics. If you choose to delete your account, our automated systems will wipe all user-owned data, including your profile and your links, from our active infrastructure within 30 days.
Where Data Lives
In plain words. Your data is stored on secure servers located in Germany and is handled by Evrim Ağacı and NTX Web Design.
The dar.vin infrastructure is hosted on bare-metal and cloud servers provided by Hetzner, physically located in Germany. All data is therefore processed strictly within the European Union. Under the KVKK, Evrim Ağacı acts as the official Data Controller (Veri Sorumlusu), dictating the purposes and means of data processing. NTX Web Design operates as the Data Processor (Veri İşleyen), handling engineering, infrastructure maintenance, and technical execution. Our registration with the Turkish VERBİS system will be updated to reflect this modern architecture.
Your Rights
In plain words. You own your data. You can download it, change it, or ask us to delete it completely at any time.
We are fully committed to your rights under the GDPR and the KVKK. You have the right to data portability (GDPR Article 20); you can initiate a complete export of your account and link data directly from the settings page in your dashboard. You have the right to erasure (GDPR Article 17), which you can exercise simply by deleting your account from the user interface. You also have full access to view, rectify, and update your personal information directly through the dashboard without needing to contact support.
Cookies
In plain words. We use only the minimum cookies required to keep you logged in securely.
We do not use tracking cookies, marketing pixels, or third-party advertising scripts on the dar.vin dashboard. The only cookies we place on your browser are strictly necessary session cookies designed to securely maintain your authenticated state across the application and protect against Cross-Site Request Forgery (CSRF) attacks.
Third-Party Services
In plain words. We share your data with a few trusted companies exclusively to keep the platform running, not for marketing.
To operate the platform, we use a minimal stack of third-party sub-processors. We integrate with the Evrim Ağacı OAuth system if you choose it for authentication. We use Hetzner for physical server hosting in Germany. We also use Amazon Web Services (AWS SES) strictly for delivering transactional email such as password resets and important account notifications. We have strict data-processing agreements with these entities ensuring they cannot use your data for their own purposes.
Instagram Integration
In plain words. If you connect your Instagram account to darvin, we only pull the data we need to render and publish posts on your behalf, and we let you cut that connection at any time.
What we collect when you connect Instagram. Once you authorise the integration, we store your Instagram Business account id, your Instagram username, the Facebook Page id linked to that Business account, and your Facebook user id (we keep the Facebook user id only so that we can honor Meta's data-deletion callback when it fires). For each of your recent Instagram media items we cache lightweight metadata: the media id, the permalink, the thumbnail URL, an excerpt of the caption, the media type, and the timestamp. The Page access token granted by Meta is encrypted at rest with AES-256-GCM and is never exposed to your browser.
What we do with it. We use this data to render the Instagram posts you choose on your darvin bio, to publish posts you compose to your Instagram account on your behalf, and to surface analytics on the resulting clicks. We never sell this data, share it for advertising, or use it outside your own account.
How long we keep it. We keep your Instagram data until you disconnect Instagram or delete your darvin account. You can disconnect at any time using the disconnect button in the editor, through Meta's app settings (which fires our deauthorize webhook), or via /account/data-deletion. We complete deletion of your Instagram-related data within 30 days of any of these triggers.
Your rights. You can request a complete data export or deletion at any time via /account/data-deletion. Disconnecting alone only removes the Instagram link; the deletion form removes everything we hold for you.
Contact
If you have any questions regarding this privacy policy, wish to make a manual data request, or need to contact our Data Protection Officer, you can reach our engineering and operations team directly at ops@dar.vin.