Privacy Compliance Guide for Diversion Links: How to Legally Collect IP and Browser Information and Inform Users

In Telegram Bot operations, diversion links (also known as magic links) are a powerful tool for traffic attribution. They use TG-Staff’s official short links (e.g., https://app.tg-staff.com/{code}) to capture visitors’ IP addresses, browser information (User-Agent, screen resolution, etc.) and URL parameters before redirecting to your Bot. This data is crucial for ad channel attribution, user profiling, and session diversion. But the question arises: Does collecting IP and browser information violate GDPR or the Personal Information Protection Law?

This article will detail the privacy risks, disclosure obligations, and operational checklist when using diversion links from a compliance perspective, helping your Telegram Bot team leverage data while avoiding legal risks.

---

Why Do Diversion Links Involve Privacy Compliance Issues?

The workflow of a diversion link is as follows:

1. A user clicks a diversion link in an ad, social media, or email.
2. The short link server logs the visitor’s IP address, browser information (User-Agent, language, screen parameters, etc.) and URL parameters (e.g., utm_source, utm_campaign).
3. The user is redirected to a Telegram Bot conversation.

IP addresses are explicitly recognized as personal data under most privacy regulations (e.g., GDPR) because they can pinpoint a specific device or network. Browser information, though seemingly anonymous, can be combined (e.g., IP + User-Agent) to create a browser fingerprint that indirectly identifies users. Therefore, the data collection behavior of diversion links constitutes processing personal data and requires a compliance framework.

---

Requirements of Major Privacy Regulations for IP and Browser Information Collection

Different jurisdictions have different requirements for data collection, but core principles are consistent: notice, consent, data minimization, storage limitation, and user rights protection.

IP Address and Browser Information under GDPR

• IP address: The Court of Justice of the European Union (CJEU) ruled in 2016 that dynamic IP addresses can be personal data under certain conditions. GDPR Article 4 defines personal data as “any information relating to an identified or identifiable natural person.”
• Legal basis: Typically based on “legitimate interest” or “consent.” For ad attribution, it is advisable to obtain explicit user consent.
• Processing requirements: Must inform about the purpose, processing method, storage period, and user rights. It is recommended to anonymize (e.g., truncate the last octet) or pseudonymize IP addresses to reduce risk.
• Data minimization: Collect only necessary fields (e.g., keep only the first two segments of the IP) and avoid storing full IPs longer than necessary.

Compliance Points under China’s Personal Information Protection Law (PIPL)

• IP address: Falls under the category of personal information (identifiable network device). PIPL Article 13 requires obtaining individual consent or having other legal grounds for processing personal information.
• Browser information: If used for user profiling (e.g., pushing different content based on browser), it may trigger the “automated decision-making” rules (Article 24), requiring an opt-out option.
• Disclosure requirements: The privacy policy must clearly state the types of data collected, purpose, storage period, and user rights (inquiry, correction, deletion).

---

Four Major Compliance Risks When Using Diversion Links

Operations teams often overlook the following risks when using diversion links:

1. Collecting without informing users: Not clearly stating the collection behavior in the Bot conversation or website when users click the link, violating GDPR Article 13 (information obligation).
2. No data deletion channel: Users cannot query or delete collected IP and browser information, violating GDPR Articles 15 and 17 (right of access and right to erasure).
3. Data storage exceeding limits: Keeping logs for too long (e.g., over 30 days) without an automatic cleanup mechanism, violating the data minimization principle.
4. Sharing information with third parties without notice: If the diversion link service provider (e.g., TG-Staff) processes data, the privacy policy must explain the third party’s role and data processing agreement.

---

How to Clearly Disclose Diversion Link Data Collection in Your Privacy Policy

A privacy policy is the core compliance document. You need to add a dedicated section to your website or Bot’s privacy policy explaining the role of diversion links and data processing details.

Key Fields to Include in the Privacy Policy

Field	Example Content
Data types	IP address, browser type (User-Agent), screen resolution, operating system, URL parameters (e.g., utm_source)
Collection method	Automatically captured during short link redirection
Purpose	Ad attribution, session diversion, user statistics
Storage period	Automatically deleted after 30 days (or custom period)
User rights	Inquiry, deletion, restriction of processing, data portability
Third-party processing	TG-Staff (data processing agreement available via @tgstaff_robot)

Sample Disclosure Text (Ready to Use)

Below is a Chinese disclosure text that can be directly reused or modified:

Diversion Link Data Collection Notice

When you click a short link we provide (e.g., https://app.tg-staff.com/xxx), the system automatically collects the following information: your IP address (used only for server logs and automatically deleted after 30 days), browser type and version, operating system, screen resolution, and tracking parameters in the URL (e.g., utm_source). This data is used solely for ad channel effectiveness analysis and session diversion, not for user profiling or automated decision-making. You can contact us to inquire or delete your data by sending the /privacy command. If you are located in the European Economic Area, we process the above data based on your consent (deemed given by clicking the link). Data processing is provided by TG-Staff; you can review the TG-Staff Privacy Policy for more information.

---

Compliance Checklist (5 Steps)

Follow these steps to ensure diversion link compliance:

1. Audit existing diversion link configurations

   • Check if all diversion links have tracking parameters enabled (e.g., utm_source).
   • Confirm log retention settings (TG-Staff console → Project settings → Log retention period).

2. Update privacy policy

   • Add a new “Diversion Link” or “Data Collection” section including the key fields above.
   • Ensure the privacy policy link is accessible in the Bot’s welcome message or menu.

3. Add collection notice in the Bot’s first interaction

   • Send a brief message when a user first enters the Bot, e.g., “We use diversion links to collect IP and browser information for ad analysis. See privacy policy for details: [link].”
   • Can be automated using TG-Staff’s visual command flow.

4. Set up data deletion interface

   • Implement /privacy or /delete commands in the Bot to guide users to contact support or delete data via TG-Staff console.
   • TG-Staff supports exporting and deleting related logs; see documentation for details.

5. Regularly review stored logs

   • Check monthly whether log retention is executed as planned.
   • If using audit records in content moderation features, ensure the compliance team can trace data operations.

---

Privacy Settings Recommendations When Using TG-Staff Distribution Links

The TG-Staff console provides several privacy-related configuration options to help you ensure compliance:

• Log Retention Settings: In the project settings, you can configure the number of days to retain logs (recommended ≤ 30 days).
• Data Export and Deletion: Supports exporting click records of distribution links and bulk deleting data within a specific time range.
• Content Risk Control Audit Records: Pro users can view records of agent messages that trigger risk words for internal control audits.

---

Frequently Asked Questions

Q: Will the IP addresses collected by diversion links be stored permanently?
A: No. TG-Staff does not store visitor IPs long-term by default. Diversion links are mainly used for instant redirection and attribution. The log retention period can be found in the documentation or confirmed by contacting @tgstaff_robot. We recommend that the operations team set their own data cleanup cycles.

Q: How can users query or delete personal information collected by cloned links?
A: You need to provide a data subject rights request entry in the Bot, such as via the /privacy command or by contacting customer service. The TG-Staff console supports exporting and deleting related logs. For specific operations, refer to the documentation.

Q: If my Bot only serves users in mainland China, do I still need to comply with GDPR?
A: If your users include residents of the European Economic Area (EEA), or if your server is located in an EEA country, you must comply with GDPR. Even if you only target Chinese users, you still need to meet the notification requirements for automated data collection under the Personal Information Protection Law (PIPL). We recommend adhering to the strictest regulations as a baseline.

Q: Can diversion links be set not to collect browser information?
A: Currently, TG-Staff’s diversion links collect IP and browser information by default for ad attribution and traffic analysis. If you do not need attribution features, you can disable tracking parameters for diversion links in the console, or switch to regular Bot links.

Q: Does collecting browser information count as “automated decision-making”?
A: If you only use it for statistics (e.g., browser type distribution), it is generally not considered automated decision-making. However, if you use it for user profiling to influence services (e.g., delivering different content based on different browsers), it may trigger GDPR Article 22 or the automated decision-making rules under PIPL, requiring an opt-out option.

---

Next Steps

• Try Now: Sign up for a free trial of TG-Staff (https://app.tg-staff.com/) to experience diversion links and content risk control features.
• Read the Docs: Visit the TG-Staff documentation for details on privacy-related configurations.
• Consult an Expert: Contact @tgstaff_robot for advice on compliance settings.

Diversion link privacy compliance is not an obstacle but the foundation for building user trust. Starting today, use clear notifications and transparent operations to align data collection with compliance.