Privacy Policy

This policy explains what data we collect, why, and what we do with it. We've kept it short because you shouldn't need a lawyer to understand how your data is handled.

1. What We Collect

Account data

• Email address — for login, notifications, and account communications.
• Password — stored as a bcrypt hash. We never store or see your plain-text password.

Monitoring data

• Monitor targets — the URLs, hostnames, and IP addresses you configure. These are stored in our database and visible to you in the dashboard.
• Check results — status (up/down), response times, error messages, and SSL certificate expiry data for each check we perform.
• Notification config — email addresses, webhook URLs, Pushover keys, and ntfy topic URLs you configure for alerts.

Status page data

• Page configuration — subdomain, title, theme, custom colors, custom domain settings.
• Uploaded logos — stored on our server if you upload a custom logo (Pro feature).
• Incidents — titles, messages, and status updates you create (Pro feature).

Technical data

• Server logs — request path, response status, and timing for each request to our service. Used for debugging and abuse prevention.
• Session cookies — used to keep you logged in. Essential only, no tracking cookies.

Payment data

• Payments are processed by Stripe. We store your Stripe customer ID and subscription ID. We do not store your credit card number, expiry, or CVC. Stripe's privacy policy governs how they handle your payment information.

2. What We Don't Collect

• We don't use analytics or tracking scripts.
• We don't set third-party cookies.
• We don't track you across the web.
• We don't collect data from your monitored services beyond what's needed for the check (HTTP status code, response time, SSL certificate info).

3. How We Use Your Data

• Running the service — performing monitoring checks, sending notifications, rendering status pages.
• Account management — authentication, email verification, billing, password resets.
• Service communications — trial reminders, important service updates, billing receipts. We won't spam you.
• Security and abuse prevention — detecting abuse, blocking SSRF attempts, enforcing rate limits.

4. Data Retention

We keep data for specific, documented periods:

• Check results: 7 days (free tier) or 90 days (Pro tier). Older results are automatically deleted daily.
• Notification logs: 90 days, then automatically deleted.
• Server logs: Written to disk and rotated automatically.
• Account data: Retained while your account is active. Deleted immediately when you delete your account.

What happens on downgrade

If you cancel Pro or your trial expires, monitors beyond the free tier limit (10) are paused, not deleted. Your check history beyond 7 days will be cleaned up by the next daily retention job. No data is deleted immediately — you have time to resubscribe if you change your mind.

Service discontinuation

If we discontinue the Service, we will delete user data within 14 days of the discontinuation date.

5. Public Status Pages

This is important: your public status pages are public. Anything you put on a status page — monitor names, statuses, incident messages — is visible to anyone with the URL, including:

• Search engines (pages may be indexed)
• Third-party services (via the JSON API at /api/status)
• Anyone who knows or guesses your subdomain

Choose your monitor names and page titles carefully. Don't include sensitive information.

6. Third-Party Services

We use a small number of third-party services to operate:

• Stripe — payment processing. Their privacy policy.
• Resend — transactional email delivery (verification emails, notifications, billing receipts). Their privacy policy.
• Hetzner — server infrastructure (EU-based). Their privacy policy.

We do not sell, rent, or share your personal data with any other third party.

7. Data Security

• Passwords are hashed with bcrypt.
• All connections to the service are encrypted via HTTPS/TLS.
• Session cookies are HttpOnly, Secure, and SameSite.
• We block outbound requests to private IP ranges to prevent SSRF.
• Admin access is restricted and logged.

No system is perfectly secure. If we discover a data breach that affects your personal data, we'll notify you by email as soon as reasonably possible.

8. Your Rights

You can:

• Access your data — everything you've entered is visible in your dashboard.
• Correct your data — edit your email, monitors, and settings anytime.
• Delete your data — delete your account from Settings. All your data (monitors, check results, status pages, notification config) is deleted immediately.
• Export your data — contact us if you need a full data export.

If you have questions about your data, want a full copy, or want everything deleted, email us and we'll help.

9. Cookies

We use only essential cookies:

• Session cookie (backroom_session) — keeps you logged in. Expires after 7 days.
• CSRF cookie (csrftoken) — prevents cross-site request forgery on forms.
• Theme preference — stored in localStorage (not a cookie), remembers your light/dark mode choice.

No analytics cookies. No tracking pixels.

10. Children

This service is not directed at anyone under the age of 16. If we learn that a child under 16 has created an account, we will delete it.

11. Changes to This Policy

If we make material changes to this policy, we'll notify you by email before they take effect. Minor clarifications or formatting changes won't trigger a notification.

12. Contact

Questions about your data or this policy? Email support@backroom.tools.