Data protection - Nonli shortener

Last updated: June 10, 2026

This document describes the technical behavior of the Nonli shortener (short domains and shortened links) with regard to the regulations applicable to trackers (article 82 of the French Data Protection Act, CNIL "cookies and other trackers" guidelines) and to transfers of data outside the European Union (chapter V of the GDPR).

It is intended for Nonli's publisher clients, their data protection officers and any authority wishing to verify the actual behavior of the service. Every statement in this document reflects the production behavior of the code and can be verified by inspecting the HTTP responses of the service.

This document complements the CNIL self-evaluation of the Nonli SDK, which covers editorial audience measurement. It documents Nonli's own analysis, without prejudice to any analysis the CNIL may carry out as part of its missions.

1. Summary#

QuestionAnswerRationale
Does the shortener set trackers?NoA short-link redirect is a plain HTTP exchange: nothing is written to the visitor's device, nothing is read from it.
Does the shortener create a visitor identifier?NoNo cookie, no local storage, no fingerprinting, no identifier of any kind.
What does the shortener measure?Aggregated countersClick counts per link, per post, per brand and per domain, with no individual data.
Is any data sent to the United States?NoThe shortener stores no personal data at all. Measurement data (anonymous counters) is hosted in the European Union.

2. How a click works#

When a visitor clicks a Nonli short link (for example go.example.com/abc), the sequence is:

  1. The browser sends an HTTPS request to the publisher's short domain.
  2. The Nonli application, hosted in the European Union, resolves the short identifier and retrieves the destination URL.
  3. If the request comes from a real browser (bots are excluded through transient User-Agent inspection), aggregated counters are incremented.
  4. The application answers with an HTTP 301 redirect to the destination URL, with no-store headers that forbid shared caching of the redirect.

The exchange is limited to this. The response contains no Set-Cookie header, no script, no pixel, no executable content.

3. No trackers#

Within the meaning of article 82 of the French Data Protection Act, a tracker requires an operation of writing to or reading from the user's device (cookie, local storage, fingerprinting, or any equivalent mechanism).

A Nonli short-link redirect performs none of these operations:

  • no cookie is set, by Nonli or on its behalf;
  • no cookie is read from the device;
  • no local storage (localStorage, sessionStorage, IndexedDB) is used;
  • no fingerprinting is performed;
  • no visitor identifier is created or matched;
  • no script is served: the response is a pure HTTP redirect.

The shortener therefore does not fall within the scope of mechanisms subject to consent collection. This behavior is verifiable by anyone by inspecting the response headers of a short link (no Set-Cookie, 301 redirect with Cache-Control: no-store).

The CNIL has developed a specific analysis for tracked links, notably in emails: when a URL embeds an identifier specific to the recipient, the click transmits to the server information that makes it possible to follow the person individually, which the CNIL analyses as a reading operation subject to article 82.

Nonli short links do not match this pattern:

  • the short URL identifies a piece of content, not a person: the same short link is shared publicly and is identical for every visitor who clicks it. It contains no recipient, session or user identifier;
  • the HTTP request issued by the click only transmits the standard elements needed to establish the communication (hostname, path, technical browser headers), with no added parameter relating to the visitor;
  • the redirect to the article is the service expressly requested by the visitor who clicks: resolving the short link is strictly necessary to provide that service;
  • the purposes are limited to aggregated editorial statistics on behalf of the publisher: no advertising targeting, no profiling, no personalized advertising and no individual profile building are carried out, by Nonli or on its behalf.

Therefore, even under the most extensive reading of article 82, the conditions that would require consent collection (individual identifier transmitted, purposes unrelated to the requested service, advertising use) are not met.

4. Processed data#

4.1. Aggregated counters#

The statistics produced by the shortener are exclusively counters:

  • number of clicks per short link;
  • number of clicks per associated post;
  • aggregations per brand, per domain and per period.

For flying links, the click counter is broken down by coarse technical categories transiently derived from the User-Agent (social network of origin, browser type, device family, operating system family). These categories are aggregates: the raw User-Agent is not retained and no combination makes it possible to single out an individual.

4.2. Transient technical data#

Like any web service, the shortener receives technical transport data for the duration of the HTTP request:

  • the User-Agent is transiently inspected to exclude bots from counting and, for flying links, to determine the technical category of the click; it is not retained;
  • the HTTP referrer may be transiently inspected to identify the social network of origin; it is not retained;
  • the IP address is not read by the shortener application path: it is used neither for counting nor for geolocation, and access logging is disabled at the Nonli production proxy level.

None of this data reaches the counters or any other measurement storage.

5. Data location and transfers#

Since the shortener stores no personal data, there is no individual data that could be transferred outside the European Union.

Regarding the data actually stored and the infrastructure:

  • short links and their anonymous counters are hosted in the European Union, on Nonli's production infrastructure (Google Cloud, europe-west1 region, Belgium);
  • media associated with posts is hosted in France (OVHcloud);
  • Cloudflare acts as a technical provider for TLS, routing and protection against malicious traffic on short domains. In that role, Cloudflare transiently processes transport data, like any network intermediary. Cloudflare is certified under the EU-U.S. Data Privacy Framework and has no audience-measurement purpose on behalf of Nonli; its bot protections are separate from Nonli click counters.

The shortener sends no measurement data to services located in the United States: counters are written and kept in the European Union, and they contain no personal data.

The scope of this document ends at the redirect: the hosting of the publisher's destination website, the third-party content loaded there and the analytics tools reading any URL parameters there belong to the publisher and its own providers, not to the Nonli shortener.

Finally, the behavior described in this document is that of the production service. The Nonli shortener has set no cookie at all since 22 January 2025; observations prior to that date do not reflect the current behavior of the service.

6. Dynamic URL parameters#

By default, Nonli adds no analytics parameter to destination URLs. If a publisher configures dynamic parameters (for example utm_*, at_*, mtm_*, xtor), these parameters belong to its own tagging plan and its own analytics tools: they are read by the publisher's destination website, not by Nonli. The publisher must ensure that this configuration and the receiving tools comply with its own obligations.

7. Processing on behalf of the publisher#

Nonli acts on behalf of the publisher client. The applicable commitments (confidentiality, technical and organizational measures, data return or deletion, subprocessing) are described in the GDPR agreement. One publisher's data is never pooled with another's, and Nonli does not reuse its clients' data for its own purposes.

8. Right to object#

The shortener's measurement path does not process personal data: no cookie, no identifier, no IP address in the counters, aggregates per link and per publisher. As a result, no specific objection mechanism is required for click counting.

9. Contact#

For any question or complaint regarding this document: [email protected].

Related documents: CNIL self-evaluation - Nonli SDK, GDPR - Data Processing, Privacy Policy, Cookie Policy, FAQ - What is a custom shortlink domain?.

Other Legal Pages

CNIL self-evaluation - Nonli SDKPrivacy PolicyCookie PolicyGDPR - Data Processing