Uptime Monitor Privacy Policy

Version 1 – effective from 16 May 2026.

1. General information

1. This Privacy Policy describes the rules for processing personal data and the use of cookies and similar technologies in the Uptime Monitor Service.
2. The controller of personal data is Infoweb, ul. Wrzosowa 12a/3, 55-080 Smolec, Poland, NIP: 7342997158.
3. Contact regarding privacy and personal data matters: contact@uptimestats.eu or via the contact form available in the Service.
4. The Controller has not appointed a Data Protection Officer. All requests and questions regarding personal data should be directed to the Controller at the address given in point 3.

2. Data we process

1. When using the Service, we may process the following data:
   1. first name,
   2. email address,
   3. user account data and login credentials (password stored as a cryptographic hash),
   4. data relating to monitored websites, projects and alerts,
   5. team data related to sharing monitors with other users (email addresses of invited persons),
   6. technical data, including IP address, session identifiers, device, browser and operating system information,
   7. system and security logs,
   8. data about Service usage and User activity,
   9. data necessary for billing (invoice data: name, tax ID, address).
2. During the beta phase, the Service does not support online payments. Settlements are made on the basis of a proforma invoice and bank transfer – the Service does not process payment card details or online banking login credentials.

3. Purposes and legal bases for processing

We process personal data for the following purposes:

1. creating and managing an Account,
2. providing website availability monitoring services,
3. checking SSL certificates and page load times,
4. sending alerts and email, web push and phone (ntfy) notifications,
5. maintaining monitoring statistics and history,
6. managing Projects, Status pages and team collaboration,
7. entering into and performing the agreement,
8. billing and issuing invoices,
9. handling complaints and communicating with the User,
10. asserting and defending against claims,
11. fulfilling legal obligations, including tax and accounting requirements,
12. ensuring the security of the Service,
13. analytics and development of the Service.

The legal bases for processing include in particular:

1. Article 6(1)(b) GDPR – performance of a contract or steps taken prior to entering into a contract,
2. Article 6(1)(c) GDPR – legal obligations,
3. Article 6(1)(f) GDPR – legitimate interests of the Controller (including security, analytics, asserting claims),
4. Article 6(1)(a) GDPR – consent of the data subject, to the extent it is required.

4. Recipients of data and processors

1. Personal data may be disclosed to entities cooperating with the Controller, solely to the extent necessary for the provision of services. In particular, the Controller uses the following entities:
   • Hetzner Online GmbH (Germany, EU) – hosting of application and database servers; data stored within the European Union;
   • ntfy.sh (public push notification server) – delivery of phone notifications, if the User enables this channel; the topic and the alert content are sent to the server;
   • Browser push services (including Google, Mozilla, Apple) – delivery of web push notifications; the notification payload is encrypted;
   • Google LLC (USA) – reCAPTCHA (protecting forms against bots) and Google Analytics / Google Tag Manager (analytics on the Service's information pages), where configured;
   • outgoing mail (alerts and system messages) is handled by the Controller's mail server located in the EU;
   • entities providing accounting, legal or debt-collection services and public authorities – where required by law.
2. The Controller enters into appropriate data processing agreements with processors where required.

5. Data transfers outside the EEA

1. Data stored within hosting is located on servers in the European Union.
2. With regard to the use of Google LLC services (reCAPTCHA, Google Analytics, Google Tag Manager) and browser push services, data may be transferred to countries outside the European Economic Area. In such cases, the Controller applies appropriate safeguards required by the GDPR, in particular standard contractual clauses (SCC) approved by the European Commission.

6. Data retention periods

We retain data for no longer than necessary to achieve the purposes of processing, in particular:

1. Account data – for the duration of the service provision, and thereafter for the period necessary for billing and securing claims,
2. account data after deletion – up to 30 days after Account deletion, unless applicable law requires longer retention,
3. monitoring data – for the period determined by the selected Plan, i.e. from 1 to 12 months, and thereafter in accordance with retention or deletion rules,
4. billing data – for the period required by applicable law (including tax law),
5. technical and security logs – as a rule up to 90 days, and in the event of a security incident for the time necessary to investigate it,
6. data processed on the basis of consent – until consent is withdrawn or an effective objection is raised, provided no other legal basis for further processing exists.

7. Rights of data subjects

In connection with the processing of your personal data, you have the right to:

1. access your data,
2. rectify your data,
3. erase your data,
4. restrict processing,
5. data portability,
6. object to processing,
7. withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal,
8. lodge a complaint with the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland.

Requests relating to the exercise of the above rights should be sent to contact@uptimestats.eu. The Controller will respond without undue delay, no later than within 30 days of receiving the request.

8. Data security

1. The Controller applies appropriate technical and organisational measures to protect data against unauthorised access, loss, destruction, modification or disclosure.
2. Security measures include in particular:
   1. encryption of transmission via HTTPS,
   2. storing passwords solely as one-way cryptographic hashes,
   3. access control and authentication mechanisms,
   4. rate limiting of login attempts and CSRF tokens,
   5. server-side security measures and backups,
   6. incident monitoring,
   7. restricting employee and contractor access to data solely to the extent necessary for the performance of their duties.

9. Cookies and similar technologies

1. The Service uses cookies and similar technologies. In particular these are:
   • essential cookies – authentication tokens (access_token, refresh_token), the session identifier and the CSRF token; required for login and secure operation of the Service;
   • preference cookies – including the interface language choice;
   • analytics cookies (Google Analytics / Tag Manager) – optional, set only on the Service's information pages where configured;
   • reCAPTCHA cookies – set by Google to protect forms against bots.
2. Essential and security cookies cannot be disabled without loss of functionality. Analytics and reCAPTCHA cookies can be restricted in browser settings, which may affect the operation of some features.

10. Automation and profiling

1. The Service uses automated technical monitoring mechanisms.
2. Automation relates in particular to collecting information about website status, response time and SSL certificate validity.
3. The Controller does not make decisions with legal effects concerning the User solely by automated means, unless applicable law provides otherwise or the User has given separate consent.

11. Changes to the Privacy Policy

1. The Privacy Policy may be updated in response to legal, technical or organisational changes. Registered Users will be informed of material changes by email or via the Service.
2. The current version of the document is always available in the Service. The version number and effective date are indicated in the document header.