Effective Date: February 22, 2026
Last Updated: February 22, 2026
Welcome to UpMonitor ("we", "us", or "our"). We are committed to protecting your personal data and your right to privacy. This Privacy Policy explains how we collect, use, store, and share information when you use our website monitoring platform at upmonitor.io and all associated services (collectively, the "Service").
Please read this policy carefully. If you disagree with its terms, please discontinue use of our Service.
1. Who We Are
UpMonitor is operated by UpMonitor LTD ("Company").
- Email: privacy@upmonitor.io
- Registered Address: Bulgaria, Pleven, Byalo More 20
- Company Registration No. (EIK): 208736465
- VAT Number: BG208736465
For European Union residents, UpMonitor acts as the Data Controller for the personal data you provide to us.
2. What Data We Collect
2.1 Information You Provide Directly
- Account Data: Name, email address, and password (hashed) when you register.
- Profile Data: Optional display name, avatar, and notification preferences.
- Payment Data: Billing name, address, and payment method details - processed directly by Stripe (we never store full card numbers).
- Support Communications: Any information you include in support requests or emails to us.
2.2 Data We Collect Automatically
- Monitored URLs: The website addresses you configure for monitoring.
- Check Results: Response times, SSL certificate details, HTTP status codes, DNS records, and other diagnostic data gathered from your monitored endpoints.
- Usage Data: Pages visited, features used, button clicks, and time-on-page - collected to improve the Service.
- Log Data: IP addresses, browser type, operating system, request timestamps, and referring URLs.
- Cookies and Similar Technologies: Session cookies, preference cookies, and analytics identifiers. See Section 8 for details.
2.3 Anonymous Public Audit Data
When you use the free public audit tool on our landing page without an account, we collect the URL you submitted and the audit results. This data may be temporarily cached (up to 5 minutes) and is not linked to any individual. No account is required for this feature.
3. Why We Collect Your Data (Lawful Basis)
We process your personal data under the following lawful bases under the GDPR:
| Purpose | Data Involved | Lawful Basis |
|---|---|---|
| Providing the Service | Account data, monitored URLs, check results | Contract (Art. 6(1)(b)) |
| Billing & payments | Payment data | Contract (Art. 6(1)(b)) |
| Security & fraud prevention | Log data, IP addresses | Legitimate Interest (Art. 6(1)(f)) |
| Usage analytics (in-house) | Anonymised page views, feature events | Consent (Art. 6(1)(a)) |
| Marketing emails (optional) | Email address | Consent (Art. 6(1)(a)) |
| Legal obligations | Any required data | Legal Obligation (Art. 6(1)(c)) |
4. How We Use Your Data
We use the data we collect to:
- Create and manage your account
- Run monitoring checks on your behalf and deliver results, alerts, and reports
- Process payments and manage subscriptions
- Send transactional emails (downtime alerts, SSL expiry warnings, weekly reports)
- Improve, debug, and personalise the Service
- Detect and prevent abuse, fraud, and security threats
- Comply with applicable laws and regulations
- Respond to your support enquiries
We do not sell your personal data to third parties.
5. Data Sharing & Third-Party Processors
We share data only with trusted third-party processors under contractual data processing agreements (DPAs) that comply with GDPR requirements:
| Processor | Purpose | Data Shared |
|---|---|---|
| Google Cloud Platform / Firebase | Hosting, database, authentication, serverless compute | Account data, check results, logs |
| Stripe | Payment processing | Billing name, address, payment method |
| SendGrid (Twilio) | Transactional email delivery | Email address, alert content |
We do not use any third-party analytics or advertising trackers. All usage analytics are processed by our own in-house service, which collects only anonymised, aggregated events (no PII).
We do not share your monitored URL data or check results with any third party unless required by law.
6. International Data Transfers
UpMonitor uses Google Cloud Platform infrastructure. Some of your data may be stored and processed outside the European Economic Area (EEA), including in the United States. Where such transfers occur, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent safeguards, to protect your data.
7. Data Retention
We retain your personal data for as long as your account is active or as needed to provide the Service:
- Account data: Retained until you delete your account, then purged within 30 days.
- Check results & monitoring history: Retained per your subscription tier - 30 days (Free), 90 days (Pro), 365 days (Agency).
- Log data: Retained for 30 days for security and debugging purposes.
- Billing records: Retained for 7 years to comply with legal and tax obligations (Bulgarian Accountancy Act).
- Anonymised public audit cache: Purged automatically after 5 minutes.
8. Cookies & Tracking Technologies
We use the following types of cookies:
| Cookie Type | Purpose | Consent Required | Duration |
|---|---|---|---|
| Strictly Necessary | Session management, authentication | No | Session |
| Preference | Theme (dark/light), language | No | 12 months |
| Analytics | Anonymised usage tracking (in-house) | Yes | 13 months |
We display a cookie consent banner when you first visit the Service. Analytics tracking is only activated after you explicitly accept. You can change your preferences at any time via the cookie settings link in the site footer. Revoking analytics consent stops all future tracking and has no effect on core Service functionality.
9. Your Rights Under GDPR (EU/EEA Residents)
If you are located in the European Union or European Economic Area, you have the following rights:
- Right to Access - Request a copy of the personal data we hold about you.
- Right to Rectification - Request correction of inaccurate or incomplete data.
- Right to Erasure ("Right to be Forgotten") - Request deletion of your personal data where no legal obligation requires us to retain it.
- Right to Restriction - Request that we limit how we process your data.
- Right to Data Portability - Receive your data in a structured, machine-readable format.
- Right to Object - Object to processing based on legitimate interests or for direct marketing.
- Right to Withdraw Consent - Where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, contact us at privacy@upmonitor.io. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority (e.g., the Commission for Personal Data Protection in Bulgaria, or the ICO in the UK).
10. Your Rights Under CCPA (California Residents)
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the CPRA, grants you the following rights:
- Right to Know - What categories of personal information we collect and how we use it.
- Right to Delete - Request deletion of your personal information (subject to exceptions).
- Right to Correct - Request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing - We do not sell or share your personal information for cross-context behavioural advertising.
- Right to Limit Use of Sensitive Personal Information - We do not collect sensitive personal information as defined by CPRA beyond what is necessary to provide the Service.
- Right to Non-Discrimination - You will not be discriminated against for exercising your CCPA rights.
To submit a CCPA request, email us at privacy@upmonitor.io or use the in-app account deletion feature. We will verify your identity and respond within 45 days.
11. Children's Privacy
UpMonitor is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@upmonitor.io and we will delete it promptly.
12. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- TLS encryption for all data in transit
- Encryption at rest for all stored data
- Firebase Authentication with secure token management
- Role-based access controls for all internal systems
- Regular security reviews and dependency audits
No system is perfectly secure. In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (if you have an account) and update the "Last Updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of the Service after changes constitute acceptance of the revised policy.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy, please contact our privacy team:
- Email: privacy@upmonitor.io
- Subject line: Privacy Policy Enquiry
We aim to respond to all enquiries within 5 business days.