We didn't invent link cleaning. So what did we actually build?
Let me open with something most founders wouldn't: almost none of the cleaning logic in Unfurl is mine.
The rules that decide what counts as a tracker — ClearURLs, Brave's lists, AdGuard's URL Tracking filter, the EasyList lineage. The $removeparam syntax I parse — uBlock Origin's. The "pull the real link out of a redirect" idea — Brave called it debouncing years ago. I didn't invent any of it. I read a lot and leaned hard into open standards, on purpose.
So when someone asks about the moat, the honest first answer is: it isn't the cleaning. Which raises the actual question, and the reason I'm starting this thread — once the hard knowledge is already open source, what's left to build?
First, the terrain — because the tradeoffs are the interesting part.
Stripping parameters is the solved, boring layer. utm_*, fbclid, the 300-character Amazon tail — open lists already catalog these, and ABP $removeparam is a robust shared syntax for them. If that's all you want, you can ship it in a weekend on someone else's list. (You should. They're excellent.)
Unwrapping is where it gets textured. A linkedin.com/safety/go/?url=… or a doubleclick…/aclk?adurl=… hides the destination inside itself — in three flavors, three costs:
Encoded (percent/base64): the address is on the envelope, just scrambled. Decode locally. Free and private.
Opaque shortener (bit.ly, lnkd.in): a coat-check ticket. The destination isn't in the string at all — only the server knows. You have to ask it. That's a network request.
Encrypted wrapper (SendGrid-style): the address is there, but locked. Same cost — network.
And that network step is the sharpest tradeoff in the category: to unwrap a click-tracker by following it, you fire the very click you were avoiding. So you're either offline and incomplete, or online and complete — and if you go online you'd better do it carefully (no cookies, honest user-agent, optional Tor) so the cure isn't worse than the disease. I default to offline.
Click-time vs copy-time is the other axis. On the Mac I watch the clipboard and clean the instant you copy. In the browser I clean as the page loads — and here's the one piece of genuinely hard-won engineering I'll claim: I do it with Safari's declarativeNetRequest. The forums insist Safari's DNR can't rewrite URLs, that AMP-unwrap "isn't possible," that the version tables don't line up. I didn't buy it, built a throwaway probe extension, and tested on a real iPhone — Safari does honor regexSubstitution (since 17.0). The reason it's worth the fight: DNR cleans at the network layer and the extension never sees your browsing — it literally can't tell you what it cleaned. Perfect privacy, at the cost of power: DNR can't decode an encoded wrapper or resolve a shortener. So DNR for the click, the clipboard engine for the copy. Same rules, two engines, because each surface has a different ceiling.
So, back to the moat. If the rules are borrowed and the techniques are documented, what's the product? After building this, my honest answer is three things, none of them an algorithm:
The map. Knowing which technique belongs on which surface and composing them so you never think about any of it. The judgment is the work.
Privacy as a constraint, not a checkbox. On-device by default, network strictly opt-in, DNR because it can't watch you, honest user-agent over browser-spoofing, favicons through a proxy that doesn't profile. None of those is a feature — the consistency is, and it's hard to clone because it requires saying no a lot.
Making invisible work legible. The part I'll actually take credit for. The cleaning should vanish — my beta tester and my partner both, independently, said "I forget it's even there," which is the highest praise a background tool can earn. But invisible can't mean opaque. So Unfurl shows the full before/after diff, keeps a searchable history you can restore from, flags the links it couldn't fully clean instead of failing silently, and — the part I'm proudest of — explains, on-device, what each tracker you just removed actually did. Most cleaners are a black box that says "trust me." I wanted glass.
And because this is a thread, not a pitch — here's what I'm genuinely unsure about. Argue with me:
Is "curation + UX + integrity" a real moat, or something a motivated dev clones in a weekend? I lean toward taste compounds, but I'm biased.
Where's the honest line between standing on open standards and just wrapping them? I'm open-sourcing my own rule additions and upstreaming them — am I giving away my only original IP, or is that exactly what makes it defensible?
The network-unwrap irony: how far should a privacy tool go before the act of unwrapping becomes the tracking?
The existential one: should any of this be a third-party app at all, or is it the browser's / the OS's job — making all of us a stopgap until the platforms catch up?
I don't think the moat in this category is a clever line of code. I think it's taste, restraint, and honesty — three things easy to say and brutally hard to sustain. But I'd love to be argued out of it.
What would you build differently?

Replies